Ubiquitous surveillance

We now live in a world where it is highly likely that various web companies, your government, and your internet service provider are tracking your web browsing. Where facial recognition software identifies you at borders, airports, and subway stations. Where your DNA may be sampled if you are arrested. Where new face tracking software gets used with old photo archives and video camera footage. Where data on what you buy and how you repay your debts is sold between companies. Where cameras track your automobile license plate to build up a database of your movements. Where drones may watch you from the sky. Where computers transcribe your speech and handwriting into searchable text. Where you can be identified at a distance by the cards in your wallet. Where your emails, phone calls, and text messages are scanned for keywords, archived forever, and used to build up webs of your known associates. Where governments and private organizations use data mining techniques against you. Where your cell phone can easily be turned into a bug that passes on what you say and type, as well as where you are. Where your Google searches may be used as evidence against you. Where anyone can listen to your cell phone calls. Where the metadata in the photos and videos you make identifies you. Where the DNA of your family members may be used to incriminate you. Where anyone on your wireless network can archive and access all your web traffic, as well as steal website sessions. Where no encryption software you can acquire does much good. Where insecure means of communication are marketed as secure. Where archives containing your sensitive personal data can be broken into (or bought) by those who wish to cause you trouble. And where anything ill-considered you did as a teenager may re-emerge to cause embarrassment or worse decades later.

The appropriate responses to this are not clear. You can simply accept that your life is an open book that anyone who cares to can pretty easily read from. You can opt out of some services (like Facebook) and employ some available countermeasures. You can move to the remote countryside and become a technology-shunning subsistence farmer (which is not to imply that all farmers shun technology, nor manage only to subsist). You can try to drive legislative, regulatory, and technological changes that address some of the issues above. What else can you do?

Cell phones that pinpoint your location. Cameras that track your every move. Subway cards that remember. We routinely sacrifice privacy for convenience and security. So stop worrying. And get ready for your close-up.

This is a huge can of worms Milan. For me, people’s use of the internet, stems from something more human than the need for immediate communication. Email in its original form allowed for that. The rise of social media, profiles, Facebooks, etc, all are a product of people’s need to be noticed.

I remember, when I was younger, I knew a few people who wrote in diaries. Then someone started writing on freeopendiary.com. It seems like a contradiction, “open diary.” When you ask anyone why they did it, the answer is obvious. People want to find love and acceptance, and the internet made that immediate. I know many people who have met their partners through the internet, as an example. People who would rather post videos on Facebook, over Youtube, because friends are more likely to comment on it. The same reason you end this entry with the question “What else can you do?” You know very well, there is little that can be done, but you still want to know what other people think of it.

I think people are too quick to judge the internet, and the access to personal information it allows for. We make the choice to make our lives more online.

With regards to the entire, I would call overly-paranoid blog entry, I think it really is a matter of opinion. Even if all these infringements occur, I feel relatively unaffected by it. Am I naive or idealistic? Sure.

With regards to the “ubiquitous surveillance,” do you think you possibly get more attention, because you have worked for the Canadian government, and have actively blogged about it?

I don’t know, as for the rest, what kind of company wouldn’t try to get more information from their client base if they were legally allowed?

First, I am certainly not saying that there aren’t great things about the internet. The internet is the main way in which I communicate.

Second, you can definitely choose not to make a big deal about the surveillance technologies that are being rolled out. One option for dealing with our changing world is just to accept the changes.

Third, something being used in a benign way today can be used in a malicious way tomorrow. I worry especially about governments. The 20th century shows how often governments have gone bad and abused the rights of their citizens. For any government that wants to clamp down on dissent today, these surveillance technologies are making it easier.

Not all of these technologies are being used in all places, but they do exist. Furthermore, the records they produce will probably exist forever and it is hard to know what consequences that will have.

Personally, I think giving up technology is too big a price to pay for privacy. That being said, I do think we should ask hard questions about the data being kept on us, whether it should be collected in the first place, and what laws and policies should govern the use of surveillance and the information acquired through surveillance practices and technologies.

Also, based on their records to date, I don’t think we can trust companies to protect our privacy and security from governments that have decided to act illegally or unethically.

When the US government asked the telecom companies to install secret rooms where warrantless interception of their network traffic would occur, the companies complied and kept it secret. That is probably a pattern many other companies follow around the world.

Skype might be great if you want to have innocuous conversations with friends back home. It might not be a great choice for talking about political reform in a country that may lock you up for discussing such things – or for trying to organize a union somewhere where workers are forbidden to do so – or even for having a conversation you want to be certain no third parties will overhear.

At this point, we cannot be confident that any conversation we have though a technological channel will be private. Nor can we be confident it will be ephemeral. It may be stored forever.

It may also be worth noting that the least privileged members of society are most likely to have their rights violated and least able to seek effective recourse when that occurs.

If you are a rich citizen of a state where the rule of law is respected, that’s one thing. If you are poor and living under a repressive and unaccountable government, the consequences of ubiquitous surveillance for you may be much worse.

And we know that companies from countries like the United States and Canada are selling surveillance technology to governments like Iran, China, and Saudi Arabia.

This is the one that worries me most too: “Third, something being used in a benign way today can be used in a malicious way tomorrow. I worry especially about governments. The 20th century shows how often governments have gone bad and abused the rights of their citizens. For any government that wants to clamp down on dissent today, these surveillance technologies are making it easier.”

As the Chinese government forges ahead on a multibillion-dollar effort to blanket the country with surveillance cameras, one American company stands to profit: Bain Capital, the private equity firm founded by Mitt Romney.

In December, a Bain-run fund in which a Romney family blind trust has holdings purchased the video surveillance division of a Chinese company that claims to be the largest supplier to the government’s Safe Cities program, a highly advanced monitoring system that allows the authorities to watch over university campuses, hospitals, mosques and movie theaters from centralized command posts.

The Bain-owned company, Uniview Technologies, produces what it calls “infrared antiriot” cameras and software that enable police officials in different jurisdictions to share images in real time through the Internet. Previous projects have included an emergency command center in Tibet that “provides a solid foundation for the maintenance of social stability and the protection of people’s peaceful life,” according to Uniview’s Web site.

Such surveillance systems are often used to combat crime and the manufacturer has no control over whether they are used for other purposes. But human rights advocates say in China they are also used to intimidate and monitor political and religious dissidents. “There are video cameras all over our monastery, and their only purpose is to make us feel fear,” said Loksag, a Tibetan Buddhist monk in Gansu Province. He said the cameras helped the authorities identify and detain nearly 200 monks who participated in a protest at his monastery in 2008.

On Monday, Nadeau also pressed Ouelette for his personal understanding of why there were photos of goats (one labeled “drunk goat”) on Sonne’s hard drive, and why the accused had used “Goatmaster” and “Toronto Goat” as his online usernames. Peter Copeland, one of Sonne’s lawyers, objected, saying that Ouelette wasn’t an expert on acronyms. Spies decided to hear the argument as “voir dire,” meaning she will decide later if it’s admissible as evidence. So, Ouelette opined that “Goat,” stood for “Greatest of All Time,” based on his knowledge of hockey, nicknames, and Wayne Gretzky.

Before yottabytes of data from the deep web and elsewhere can begin piling up inside the servers of the NSA’s new center, they must be collected. To better accomplish that, the agency has undergone the largest building boom in its history, including installing secret electronic monitoring rooms in major US telecom facilities. Controlled by the NSA, these highly secured spaces are where the agency taps into the US communications networks, a practice that came to light during the Bush years but was never acknowledged by the agency. The broad outlines of the so-called warrantless-wiretapping program have long been exposed—how the NSA secretly and illegally bypassed the Foreign Intelligence Surveillance Court, which was supposed to oversee and authorize highly targeted domestic eavesdropping; how the program allowed wholesale monitoring of millions of American phone calls and email. In the wake of the program’s exposure, Congress passed the FISA Amendments Act of 2008, which largely made the practices legal. Telecoms that had agreed to participate in the illegal activity were granted immunity from prosecution and lawsuits. What wasn’t revealed until now, however, was the enormity of this ongoing domestic spying program.

For the first time, a former NSA official has gone on the record to describe the program, codenamed Stellar Wind, in detail. William Binney was a senior NSA crypto-mathematician largely responsible for automating the agency’s worldwide eavesdropping network. A tall man with strands of black hair across the front of his scalp and dark, determined eyes behind thick-rimmed glasses, the 68-year-old spent nearly four decades breaking codes and finding new ways to channel billions of private phone calls and email messages from around the world into the NSA’s bulging databases. As chief and one of the two cofounders of the agency’s Signals Intelligence Automation Research Center, Binney and his team designed much of the infrastructure that’s still likely used to intercept international and foreign communications.

…

Binney left the NSA in late 2001, shortly after the agency launched its warrantless-wiretapping program. “They violated the Constitution setting it up,” he says bluntly. “But they didn’t care. They were going to do it anyway, and they were going to crucify anyone who stood in the way. When they started violating the Constitution, I couldn’t stay.” Binney says Stellar Wind was far larger than has been publicly disclosed and included not just eavesdropping on domestic phone calls but the inspection of domestic email. At the outset the program recorded 320 million calls a day, he says, which represented about 73 to 80 percent of the total volume of the agency’s worldwide intercepts. The haul only grew from there. According to Binney—who has maintained close contact with agency employees until a few years ago—the taps in the secret rooms dotting the country are actually powered by highly sophisticated software programs that conduct “deep packet inspection,” examining Internet traffic as it passes through the 10-gigabit-per-second cables at the speed of light.

The software, created by a company called Narus that’s now part of Boeing, is controlled remotely from NSA headquarters at Fort Meade in Maryland and searches US sources for target addresses, locations, countries, and phone numbers, as well as watch-listed names, keywords, and phrases in email. Any communication that arouses suspicion, especially those to or from the million or so people on agency watch lists, are automatically copied or recorded and then transmitted to the NSA.

My guess is that they can’t. That is, they don’t have a cryptanalytic attack against the AES algorithm that allows them to recover a key from known or chosen ciphertext with a reasonable time and memory complexity. I believe that what the “top official” was referring to is attacks that focus on the implementation and bypass the encryption algorithm: side-channel attacks, attacks against the key generation systems (either exploiting bad random number generators or sloppy password creation habits), attacks that target the endpoints of the communication system and not the wire, attacks that exploit key leakage, attacks against buggy implementations of the algorithm, and so on. These attacks are likely to be much more effective against computer encryption.

Deep End’s Paul Venezia discusses the ‘sci-fi fantasy’ that is privacy in the digital era. ‘The assault on personal privacy has ramped up significantly in the past few years. From warrantless GPS tracking to ISP packet inspection, it seems that everyone wants to get in on the booming business of clandestine snooping — even blatant prying, if you consider reports of employers demanding Facebook passwords prior to making hiring decisions,’ Venezia writes. ‘What happened? Did the rules change? What is it about digital information that’s convinced some people this is OK? Maybe the right to privacy we were told so much about has simply become old-fashioned, a barrier to progress.

“Having opposed the previous government’s attempts to introduce mass surveillance of Internet communications, the Conservatives are planning to introduce the very same policy they previously described as a ‘culture of surveillance which goes far beyond counter terrorism and serious crime.’ The plan is essentially to allow stored communication data to be trawled without the inconvenience of needing a warrant or even any reasonable suspicion.”

The breakthrough was enormous, says the former official, and soon afterward the agency pulled the shade down tight on the project, even within the intelligence community and Congress. “Only the chairman and vice chairman and the two staff directors of each intelligence committee were told about it,” he says. The reason? “They were thinking that this computing breakthrough was going to give them the ability to crack current public encryption.”

That, he notes, is where the value of Bluffdale, and its mountains of long-stored data, will come in. What can’t be broken today may be broken tomorrow. “Then you can see what they were saying in the past,” he says. “By extrapolating the way they did business, it gives us an indication of how they may do things now.” The danger, the former official says, is that it’s not only foreign government information that is locked in weaker algorithms, it’s also a great deal of personal domestic communications, such as Americans’ email intercepted by the NSA in the past decade.

LONDON — British lawmakers and rights activists joined a chorus of protest Monday against plans by the government to give the intelligence and security services the ability to monitor the phone calls, e-mails, text messages and Internet use of every person in the country.

In a land where tens of thousands of surveillance cameras attest to claims by privacy advocates that Britain is the Western world’s most closely monitored society, the proposal has touched raw nerves, compounding arguments that its citizens live under what critics call an increasingly intrusive “nanny state.”

The debate in recent years has pitted those who justify greater scrutiny by reference to threats of terrorism and organized crime against those who cleave to more traditional notions of individual privacy.

But the current proposal would go a step further, raising the question of how security agencies can themselves keep track of a proliferation of newer technologies such as Skype, instant messaging and social networking sites that permit instant communication outside more traditional channels.

Wiretaps cost hundreds of dollars per target every month, generally paid at daily or monthly rates. To wiretap a customer’s phone, T-Mobile charges law enforcement a flat fee of $500 per target. Sprint’s wireless carrier Sprint Nextel requires police pay $400 per “market area” and per “technology” as well as a $10 per day fee, capped at $2,000. AT&T charges a $325 activation fee, plus $5 per day for data and $10 for audio. Verizon charges a $50 administrative fee plus $700 per month, per target.

“Facebook already shares its Law Enforcement Guidelines publicly, but we’ve never actually seen the data Menlo Park sends over to the cops when it gets a formal subpoena for your profile information. Now we know. This appears to be the first time we get to see what a Facebook account report looks like. The document was released by the The Boston Phoenix as part of a lengthy feature titled ‘Hunting the Craigslist Killer,’ which describes how an online investigation helped officials track down Philip Markoff. The man committed suicide, which meant the police didn’t care if the Facebook document was published elsewhere, after robbing two women and murdering a third.”

The SXSW panel “Sex, Dating, and Privacy Online” described the myriad ways in which every step you take, every move you make, is online and searchable. Panel member Violet Blue, a sex educator and tech columnist, pointed to the loose security and privacy practices of dating websites recently exposed by the Electronic Frontier Foundation.

“Under construction by contractors with top-secret clearances, the blandly named Utah Data Center is being built for the National Security Agency. A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world’s communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails — parking receipts, travel itineraries, bookstore purchases, and other digital ‘pocket litter.’ It is, in some measure, the realization of the ‘total information awareness’ program created during the first term of the Bush administration — an effort that was killed by Congress in 2003 after it caused an outcry over its potential for invading Americans’ privacy.”

When you ‘like’ something on Facebook or read an online newspaper, perhaps a dozen or more companies are squirrelling away data on your tastes, your habits, whether you’re male or female, old or young, gay or straight.

They mean no harm. They just want to give you, the customer, exactly what you want – it’s the grandfather of all business slogans. Their dilemma, now regulators’ noses are twitching, is how to serve you, and serve themselves, when what you want is to be left alone.

There are thousands of analytics companies, audience targeters, ad brokers, ad exchanges and the like that can collect and sell data-based services on internet users for 5,000 euros a time to big brands, which then buy ad space where their potential customers might be lurking.

You only know these trackers are at work if you read the fine print. The New York Times has a disclaimer saying it hires WebTrends and Audience Science to interpret its readers’ interests, and Britain’s Guardian newspaper says it pays Criteo and Quantcast, among others, to do the same.

“A bill already passed by the Senate and set to be rubber stamped by the House would make it mandatory for all new cars in the United States to be fitted with black box data recorders from 2015 onwards. Section 31406 of Senate Bill 1813 (known as MAP-21), calls for ‘Mandatory Event Data Recorders’ to be installed in all new automobiles and legislates for civil penalties to be imposed against individuals for failing to do so. ‘Not later than 180 days after the date of enactment of this Act, the Secretary shall revise part 563 of title 49, Code of Federal Regulations, to require, beginning with model year 2015, that new passenger motor vehicles sold in the United States be equipped with an event data recorder that meets the requirements under that part,’ states the bill.”

“A pair of researchers at Karlstad University have been able to establish how the Great Firewall of China sets about blocking unpublished Tor bridges. The GFC inspects web traffic looking for potential bridges and then attempts ‘to speak Tor’ to the hosts. If they reply, they’re deemed to be Tor bridges and blocked. While this looks like another example of the cat and mouse game between those wishing to surf the net anonymously and a government intent on curtailing online freedoms, the researchers suggest ways that the latest blocking techniques may be defeated.”

AnonPaste is based on the open source ZeroBin software. It is a minimalist, opensource online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES. More information on the project page.

National Security Agency whistleblower William Binney reveals he believes domestic surveillance has become more expansive under President Obama than President George W. Bush. He estimates the NSA has assembled 20 trillion ‘transactions’ — phone calls, emails and other forms of data — from Americans. This likely includes copies of almost all of the emails sent and received from most people living in the United States. Binney talks about Section 215 of the USA PATRIOT Act and challenges NSA Director Keith Alexander’s assertion that the NSA is not intercepting information about U.S. citizens.

The California Location Privacy Bill (SB 1434) proposes to require cellular phone companies to stop their practice of giving your location data to the police without a warrant. Phone companies would still be allowed to give your information to the police if they got a warrant, first.

Naturally, the CTIA — the mobile carriers’ industry association — opposes it. They say that it will be “unduly burdensome” to have to say no when the police show up without a warrant, and to keep track of how often they give your information to the cops, and why.

“The Syrian government is using Skype as a channel to infect activists’ systems with malware, installing Trojans and backdoors, according to security firm F-Secure. The evidence comes from a hard drive sent for analysis. ‘The activist’s system had become infected as a result of a Skype chat. The chat request came from a fellow activist. The problem was that the fellow activist had already been arrested and could not have started the chat. Initial infection occurred when the activist accepted a file called MACAddressChanger.exe over the chat. This utility was supposed to change the hardware MAC address of the system in order to bypass some monitoring tools. Instead, it dropped a file called silvia.exe which was a backdoor — a backdoor called “Xtreme RAT.” Xtreme Rat is a full-blown malicious Remote Access Tool.'”

Snooping on new mediaSpies, lies and the internet
Plans to extend surveillance and secrecy are causing alarm within the coalition and outside it

…

The government insists it will not seek access to the content of communications, but says it can gain valuable intelligence by simply monitoring who is talking to whom, and where and when. Getting such traffic figures does not require a judicial warrant now, so the new plans are about modernising surveillance techniques, not expanding their scope.

Put simply, a computer or personal electronic device can no longer be viewed as a “thing,” Mr. Justice Thomas Heeney ruled, in rejecting the Crown’s bid to have the contents of Mr. Rafferty’s laptop admitted as evidence.

Rather, he said, recent case law holds that because a computer can contain huge amounts of personal information – e-mails, bank records, memos, documents, photos – it should be regarded as a “place,” akin to a house.

In this instance, the warrants targeted two homes and two cars and all were in order as far as they went, the judge found. Nor was anything amiss about how the searches were conducted – up to the point where various computers were seized.

At that stage, a secondary warrant was needed and, if requested, would likely have been granted, Judge Heeney wrote.

Yet none was obtained, despite the omission being flagged both by the Justice of the Peace who issued the warrants and later by an Ontario Provincial Police forensic detective.

CISPA was rammed through the House of Representatives without regard for civil liberties, but the campaign to stop shortsighted cybersecurity legislation is not over yet. We’ve got another chance to stop these bills in the Senate and prevent the government from sacrificing online civil liberties in the name of “cybersecurity.” EFF, Demand Progress, Fight for the Future, and Free Press are joining forces to oppose these bad laws. Can you help us out? Use our online tool to call your Senators and tell them to oppose dangerously vague cybersecurity legislation and support privacy protective amendments. Call now.

DigitalGlobe imagery of Leitrim taken last February (see low-resolution sample at right) shows that a 600-metre-diameter circle has been cleared at the northern end of the station, presumably to host a new antenna array.

The new cleared space overlaps but is not quite concentric with a large circular area that was cleared and graded around 1967. The original space was suitable for a large circularly disposed antenna array (CDAA) such as an FRD-10, but no array was ever built on the site. It is probably not a coincidence that two FRD-10 arrays were built at other stations in Canada (Gander and Masset) at around the same time, under a program called Project Beagle. It is possible that the original Project Beagle called for the construction of three FRD-10 arrays, but that the Leitrim array was cancelled at some point early in the process, most likely for budgetary reasons.

Have you ever wondered what happens when you type your query into the Google search box and what data we store about that search?

Let’s take a simple search like “cars.” When someone types the word “cars” into the Google search engine, the request gets sent from that user’s computer over the internet to our computers, which look for the right search results. Once our computers have found the results, they send these back to the user’s computer, all in a fraction of a second.

We then store some data about this exchange: the search query (“cars”), the time and date it was typed, the IP address and cookie of the computer it was entered from, and its browser type and operating system. We refer to these records as our search logs, and most websites store records of visits to their site in a similar way.

The Electronic Frontier Foundation (EFF) has created this Surveillance Self-Defense site to educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it.

“A new report from Evidon, whose browser plug in Ghostery tracks Web trackers, makes it plain that ‘if you want to worry about somebody tracking you across the Web, worry about Google,’ writes blogger Dan Tynan. Google and Facebook, and their various services, occupy all of the top 5 slots on the Evidon Global Tracker Report’s list of the most prolific trackers. ‘And if you have any tracking anxiety left over, apply it to social networks like Facebook, G+, and Twitter,’ adds Tynan.”

OTTAWA – Airports and border crossings across Canada are being wired with high-definition cameras and microphones that can eavesdrop on travellers’ conversations, according to the Canada Border Services Agency.

A CBSA statement said that audio-video monitoring and recording is already in place at unidentified CBSA sites at airports and border points of entry as part of an effort to enhance “border integrity, infrastructure and asset security and health and safety.”

As part of the work, the agency is introducing audio-monitoring equipment as well.

“It is important to note that even though audio technology is installed, no audio is recorded at this time. It will become functional at a later date,” CBSA spokesman Chris Kealey said in a written statement.

But whenever that occurs, the technology, “will record conversations,” the agency said in a separate statement in response to questions from the Ottawa Citizen.

At Ottawa’s airport, signs will be posted referring passersby to a “privacy notice” that will be posted on the CBSA website once the equipment is activated, and to a separate help line explaining how the recordings will be used, stored, disclosed and retained.

So Google Plus was formed more into a unifier of all of Google’s products and services, further evidenced by the controversial unified privacy policy released earlier this year. Everything done on non-Search services add to the “filter bubble” where search results are filtered based on what a user likes on YouTube, Plus, GMail contents etc.

For Google and advertisers, a user’s “fingerprint” of browsing habits and their profile of what interests them is further built and enhanced by unifying all of the data gathered across all of the separate services umbrella’d under the new privacy policy and linked via the Google Plus login.

…

But eventually, as indicated by the Google Plus links everywhere, Google Plus will be everything. Every YouTube account is really the video section of Google Plus. Search is just querying the Internet via Google Plus. GMail accounts are Google Plus recipients, and so on.

This is the goal of Google Plus. It tried to magically overcome Facebook, and that obviously did not work, so instead Google Plus has a new strategy: if it can’t hit the target, encompass it. Wrap everything else around Facebook and the users will cope.

“The BBC reports that the UK’s Draft Communications Bill includes a provision which could be used to force the Royal Mail and other mail carriers to retain data on all physical mail passing through their networks. The law could be used to force carriers to maintain a database of any data written on the outside of an envelope or package which could be accessed by government bodies at will. Such data could include sender, recipient and type of mail (and, consequentially, the entire contents of a postcard). It would provide a physical analog of the recently proposed internet surveillance laws. The Home Office claims that it has no current plans to enforce the law.”

This isn’t the first time that an Executive has seized the general authority to search through the private communications and papers without individualized suspicion. To the contrary, the United States was founded in large part on the rejection of “general warrants” – papers that gave the Executive (then the King) unchecked power to search colonial Americans without cause. The Fourth Amendment was adopted in part to stop these “hated writs” and to make sure that searches of the papers of Americans required a probable cause showing to a court. Indeed, John Adams noted that “the child Independence was born,” when Boston merchants unsuccessfully sued to stop these unchecked powers, then being used by British customs inspectors seeking to stamp out smuggling.

The current warrantless surveillance programs on both sides of the Atlantic return us to the policies of King George III only with a digital boost. In both, our daily digital “papers” — including intimate information such as who we are communicating with, what websites we visit (which of course includes what we’re reading) and our locations as we travel around with our cell phones — are collected and subjected to some sort of datamining. Then we’re apparently supposed to trust that no one in government will ever misuse this information, that the massive amounts of information about us won’t be subject to leak or attack, and that whatever subsequent measures are put into place to government access to it by various government agencies will be sufficient to protect our privacy and ensure due process, fairness and security.

Amesys, with its Eagle system, was just one of Libya’s partners in repression. A South African firm called VASTech had set up a sophisticated monitoring center in Tripoli that snooped on all inbound and outbound international phone calls, gathering and storing 30 million to 40 million minutes of mobile and landline conversations each month. ZTE Corporation, a Chinese firm whose gear powered much of Libya’s cell phone infrastructure, is believed to have set up a parallel Internet monitoring system for External Security: Photos from the basement of a makeshift surveillance site, obtained from Human Rights Watch, show components of its ZXMT system, comparable to Eagle. American firms likely bear some blame, as well. On February 15, just prior to the revolution, regime officials reportedly met in Barcelona with officials from Narus, a Boeing subsidiary, to discuss Internet-filtering software. And the Human Rights Watch photos also clearly show a manual for a satellite phone monitoring system sold by a subsidiary of L-3 Communications, a defense conglomerate based in New York.

He once was known as al-Jamil—the Handsome One—for his chiseled features and dark curls. But four decades as dictator had considerably dimmed the looks of Moammar Gadhafi. At 68, he now wore a face lined with deep folds, and his lips hung slack, crested with a sparse mustache. When he stepped from the shadows of his presidential palace to greet Ghaida al-Tawati, whom he had summoned that evening by sending one of his hulking female bodyguards to fetch her, it was the first time she had seen him without his trademark sunglasses; his eyes were hooded and rheumy. The dictator was dressed in a white Puma tracksuit and slippers. How tired and thin he looked in person, Tawati thought.

It was February 10, 2011, and Libya was in an uproar. Two months earlier, in neighboring Tunisia, a street vendor named Mohammed Bouazizi had set himself on fire after a policewoman beat him and confiscated his wares. It was the beginning of the Arab Spring, a series of uprisings, revolutions, and civil wars that would radically alter the politics of the Middle East. In Libya, opponents of the Gadhafi regime had called for a day of protest on February 17, to mark the anniversary of a 2006 protest in the city of Benghazi, where security forces had killed 11 demonstrators and wounded dozens more.

Tawati was one of the most outspoken dissidents blogging openly from inside Libya. Thirty-four years old, with a gravelly childlike voice and singsong laugh that belied her deep stubbornness, she had come to political consciousness during the mid-2000s, at a time when Gadhafi, seeking reconciliation with the West, had ceased using his most heavy-handed tactics of repression—such as outright massacres—and allowed a modicum of public dissent. During her university days, when the Internet had begun to ease the country’s isolation, Tawati took naturally to the roles of gadfly and outsider. Her parents had divorced when she was young; in Libya’s deeply conservative culture, growing up with a single mother made her a social outcast. The injustice she experienced as a child led her to critique the injustice of the dictatorial regime, particularly on women’s issues—for example, she blogged about a sexual abuse scandal at a home for unwed mothers institutionalized by the Gadhafi government. Over time she won a modest following online. As the planned protests of February 17 approached, Tawati, always prone to impassioned rhetoric, blogged that if Libyans failed to turn out for the demonstrations she would burn herself just as Bouazizi had done. Somehow Gadhafi himself had heard news of this threat and decided he needed to meet her.

Despite the dictator’s haggard appearance, his manner remained confident and effusive. When he wanted to be, Gadhafi was a legendary charmer, a man deeply at ease with ordinary Libyans. He shook Tawati’s hand and patted her shoulder paternally, directing her to sit next to him on the sofa. He asked her about her health, her family, where she was from. He asked her who had taught her to write. She told him about her demands for greater openness and accountability in Libya, taking care not to criticize him directly. He seemed sympathetic, nodding at various points. Finally she worked up the courage to ask him why the government had blocked YouTube several months earlier.

Gadhafi acted oblivious. “Is it switched off?” he asked.

—

“Despite television being a rather tough nut to crack, Intel is apparently hoping that its upcoming set-top box and subscription service will be its golden ticket to delivering more Intel processors to the living room. The service would be a sort of specialized virtual cable subscription that would combine a bundle of channels with on demand content. So what’s Intel’s killer feature that distinguishes it from the vast and powerful competition? Granular ratings that result in targeted ads. Intel is promising technology in a set-top box that can distinguish who is watching, potentially allowing Intel to target advertising. The technology could potentially identify if the viewer is an adult or a child, male or female, and so on, through interactive features and face recognition technology.”

“A new startup has technology to read fingerprints from up to 6 meters away. IDair currently sells to the military, but they are beta testing it with a chain of 24-hour fitness centers that want to restrict sharing of access cards. IDair also wants to sell this to retail stores and credit card companies as a replacement for physical cards. Lee Tien from the EFF notes that the security of such fingerprint databases is a privacy concern.”

“The Economist is reporting on two research teams, one at Harvard and another at the University of Hong Kong, who have developed software to detect what posts to Chinese social media get censored. ‘The team has built up a database comprising more than 11m posts that were made on 1,382 Chinese internet forums. Perhaps their most surprising result is that posts critical of the government are not rigorously censored. On the other hand, posts that have the purpose of getting people to assemble, potentially in protest, are swept from the internet within a matter of hours.’ Chinese censors may soon have to deal with an unprecedented transparency of their actions.”

President Obama has issued a new executive order: ‘Assignment of National Security and Emergency Preparedness Communications Functions.’ EPIC reports: ‘The Executive Order grants new powers to the Department of Homeland Security, including the ability to collect certain public communications information. Under the Executive Order the White House has also granted the Department the authority to seize private facilities when necessary, effectively shutting down or limiting civilian communications.’

Federal, state, and local law enforcement agencies have made over 1.3 million demands for user cell phone data in the last year, “seeking text messages, caller locations and other information.” The New York Times called the new findings proof of “an explosion in cellphone surveillance” in the United States — much of it done without a warrant. It’s time for cell phone companies to start producing regular transparency reports about the data they hand to the government. And Congress should see this as a call-to-action to pass robust privacy legislation mandating warrants for cell phone subscriber, cell tower, and GPS data.

RT had a very interesting interview with former NSA official turned whistleblower Thomas A. Drake, who said, ‘Security has effectively become the State religion; you don’t question it. And if you question it, then your loyalty is questioned.’ ‘Speaking truth of power is very dangerous in today’s world,’ he added. The interviewer pointed out that investigative journalists are labeled as ‘terrorist helpers’ for trying to reveal the truth, to which Drake said the government’s take is ‘you go after the messenger because the last thing you want to do is deal with the message.

“The Sixth Circuit Court of Appeals has held that it is okay for police to track your cellphone signal without a warrant. Using information about the cell tower that a prepaid cell phone was connected to, the police were able to track a suspected drug smuggler. Apparently, keeping your cellphone on is authorization for the police to know where you are. According to the ruling (PDF), ‘[The defendant] did not have a reasonable expectation of privacy in the data emanating from his cell phone that showed its location.’ Also, ‘if a tool used to transport contraband gives off a signal that can be tracked for location, certainly the police can track the signal.'”

WHEN investigators try to discover what caused an airliner to crash, the first thing they hope to find are the flight data recorders, popularly known as “black boxes”. These devices, usually painted bright orange, record how the aircraft was flying and the last 30 minutes or so of conversation in the cockpit. The information extracted from them has helped to determine the cause of air crashes and to improve aviation safety. Similar recording systems are fitted to some trains, ships and lorries. Now a bill in America’s Congress seeks to make it compulsory for data recorders to be fitted to all cars by 2015.

The idea is that data captured by the recorders would give investigators and road-safety officials a better understanding of how certain crashes come about. It would also help police and insurance companies to apportion blame. What many drivers may not realise, however, is that most cars already record data if they are involved in an accident, and that this information can be read by anyone with the right kit.

The technology that America’s lawmakers want to be made compulsory was originally intended for another purpose. With the widespread adoption of airbags, which began in the late 1980s, General Motors (GM), an airbag pioneer, wanted better analysis of how airbags were deployed, to improve their reliability and effectiveness. To obtain the data it required, GM began fitting a small memory unit to the electronic module that triggers the airbags. Ford, Chrysler and other carmakers followed suit. Around 80% of the cars sold in America now have these devices, called event data recorders (EDRs).

A BIG BANK hires a star analyst from another firm, promising to pay a substantial bonus if the new hire increases revenue or cuts costs. In banking this happens all the time, but this deal differs from the rest in one small detail: the new hire, Watson, is an IBM computer.

Watson became something of a celebrity after beating the champion human contestants on “Jeopardy”, an American quiz show. Its skill is to be able to process millions of documents quickly by reading and “understanding” ordinary written language. Computers have no trouble with searching data neatly sorted in databases. Watson’s claim to fame is that it can do the same with “unstructured data” such as those found in e-mails, news reports, books and websites. IBM hopes that Watson may, in time, do some of the work that human analysts do now, such as reading the financial pages of newspapers, looking at thousands of company results and forecasts and producing a list of companies that might be takeover targets soon.

Citigroup has hired Watson to help it decide what new products and services (such as loans or credit cards) to offer its customers. The bank doesn’t say so, but Watson’s first job may well be to try to cut down on fraud and look for signs of customers becoming less creditworthy. If so, Watson will be following other computers designed to deal with “big data”. Across a slew of new firms in Silicon Valley and in big banks across the world, a range of new ideas is being tried to crunch data. Some have the potential to change banking from the bottom up.

Bar owners gain publicity and intelligence about their customers. Did a promotion aimed at women attract many? Since drinks are often paid for in cash and by men, it used to be hard to tell.

SceneTap’s cameras are watching more than 100 American watering holes. But they are controversial. The app could make life irksome for large groups of women, by summoning hordes of predatory males. So SceneTap has fixed its software to mask extreme sex imbalances. That will please bar owners, who would prefer not to admit when they are packed with men. But it will disappoint precisely the people most likely to use the app.

When Libyan rebels finally wrested control of the country last year away from its mercurial dictator, they discovered the Qaddafi regime had received an unusual gift from its allies: foreign firms had supplied technology that allowed security forces to track nearly all of the online activities of the country’s 100,000 Internet users. That technology, supplied by a subsidiary of the French IT firm Bull, used a technique called deep packet inspection (DPI) to capture e-mails, chat messages, and Web visits of Libyan citizens.

The fact that the Qaddafi regime was using deep packet inspection technology wasn’t surprising. Many governments have invested heavily in packet inspection and related technologies, which allow them to build a picture of what passes through their networks and what comes in from beyond their borders. The tools secure networks from attack—and help keep tabs on citizens.

Narus, a subsidiary of Boeing, supplies “cyber analytics” to a customer base largely made up of government agencies and network carriers. Neil Harrington, the company’s director of product management for cyber analytics, said that his company’s “enterprise” customers—agencies of the US government and large telecommunications companies—are ”more interested in what’s going on inside their networks” for security reasons. But some of Narus’ other customers, like Middle Eastern governments that own their nations’ connections to the global Internet or control the companies that provide them, “are more interested in what people are doing on Facebook and Twitter.”

NetFalcon is targeted at very specific audiences: law enforcement agencies, telecom carriers and large ISPS, and very large companies in heavily regulated or secretive industries willing to pay for what amounts to an intelligence community grade solution. But for other organizations that already have application firewalls, intrusion detection systems or other DPI systems installed, there may not be a budget or need for Bivio’s type of technology. Take, for example, the University of Scranton, which uses Splunk to drive its information security operations.

Unlike NetFalcon, Splunk “is a huge database, but it doesn’t come with preconfigured alerts,” said Anthony Maszeroski, Information Security Manager at the University of Scranton (located in Scranton, Pennsylvania). The university has about 5,200 students—about half of whom live on campus—and has turned Splunk into the hub of its network security operations, using it to automate a large percentage of its responses to emerging threats.

Maszeroski said the IT department at Scranton pulls in data from a variety of systems. The campus’ wireless and wired routers send logs for Dynamic Host Configuration Protocol and Network Address Translation events to Splunk, which includes the physical MAC address of the devices connecting with a timestamp. This allows administrators to search the database by device address and follow where they’ve connected from on campus. The database also pulls in information on outbound DNS queries and other types of application traffic, enterprise system logs, and events from the University’s intrusion prevention system. The Splunk database of the University of Scranton Information Security Office is “close to a terabyte” in size, Maszeroski said, and “our standard op procedure is to throw everything away after 90 days. We’re also limited by budget and storage capacity.”

Web-based hacker collective Anonymous published 1 million Apple UDIDs on the web early this morning from a trove of 12 million that it allegedly stole from an FBI agent’s laptop in March. Buried within the rambling, bizarre missive from the group about why it published these unique device identifiers — besides attempting to embarrass the FBI for tracking that many iOS devices, and creating general mayhem — was a pointed comment about Apple’s decision to use and publish UDIDs in the first place with iOS devices.

A new study from Birmingham University in the U.K. found that people will likely be monitored within hours of downloading popular torrents by at least one of ten or more major monitoring firms. The team, led by security researcher Tom Chothia, ran software that acted like a BitTorrent client for three years and recorded all of the connections made to it.

Appelbaum: Cell phones are tracking devices that make phone calls. It’s sad, but it’s true. Which means software solutions don’t always matter. You can have a secure set of tools on your phone, but it doesn’t change the fact that your phone tracks everywhere you go. And the police can potentially push updates onto your phone that backdoor it and allow it to be turned into a microphone remotely, and do other stuff like that. The police can identify everybody at a protest by bringing in a device called an IMSI catcher. It’s a fake cell phone tower that can be built for 1500 bucks. And once nearby, everybody’s cell phones will automatically jump onto the tower, and if the phone’s unique identifier is exposed, all the police have to do is go to the phone company and ask for their information.

Resnick: So phones are tracking devices. They can also be used for surreptitious recording. Would taking the battery out disable this capability?

Appelbaum: Maybe. But iPhones, for instance, don’t have a removable battery; they power off via the power button. So if I wrote a backdoor for the iPhone, it would play an animation that looked just like a black screen. And then when you pressed the button to turn it back on it would pretend to boot. Just play two videos.

Resnick: And how easy is it to create something like to that?

Appelbaum: There are weaponized toolkits sold by companies like FinFisher that enable breaking into BlackBerries, Android phones, iPhones, Symbian devices and other platforms. And with a single click, say, the police can own a person, and take over her phone.

The FISA Amendments Act (FAA) of 2008 gave the NSA expansive power to spy on Americans’ international email and telephone calls. However, last month, in a letter to Senator Ron Wyden, a government official publicly disclosed that the NSA’s surveillance had gone even further than what the law permits, with the Foreign Intelligence Surveillance Court (FISC) issuing at least one ruling calling the NSA’s actions unconstitutional. The government further disclosed that the FISC had determined the government’s surveillance violated the spirit of the law on at least one occasion, as well. EFF’s Freedom of Information Act (FOIA) lawsuit seeks disclosure of any written opinions or orders from FISC discussing illegal government surveillance, as well as any briefings to Congress about those violations.

Major surveillance law change arrives in the Senate—and it might well pass.

Right now, if the cops want to read my e-mail, it’s pretty trivial for them to do so. All they have to do is ask my online e-mail provider. But a new bill set to be introduced Thursday in the Senate Judiciary Committee by its chair, Sen. Patrick Leahy (D-VT), seems to stand the best chance of finally changing that situation and giving e-mail stored on remote servers the same privacy protections as e-mail stored on one’s home computer.

When Congress passed the 1986 Electronic Communications Privacy Act (ECPA), a time when massive online storage of e-mail was essentially unimaginable, it was presumed that if you hadn’t actually bothered to download your e-mail, it could be considered “abandoned” after 180 days. By that logic, law enforcement would not need a warrant to go to the e-mail provider or ISP to get the messages that are older than 180 days; police only need to show that they have “reasonable grounds to believe” the information gathered would be useful in an investigation. Many Americans and legal scholars have found this standard, in today’s world, problematic.

Leahy, who was one of ECPA’s original authors, proposed similar changes in May 2011, but that was never even brought to a vote in the committee. The new version, which keeps the most important element of the 2011 proposal, will be incorporated into a larger bill aimed at revising the 1988 Video Privacy Protection Act (VPPA).

With the FAA working on rules to integrate drones into airspace safety by 2015, the US government’s Congressional Research Service has warned of gaps in how American courts might treat the use of drones.

“As of January, Brazil intends to put into action a new system that will track vehicles of all kinds via radio frequency chips. It will take a few years to accomplish, but authorities will eventually require all vehicles to have an electronic chip installed, which will match every car to its rightful owner. The chip will send the car’s identification to antennas on highways and streets, soon to be spread all over the country. Eventually, it will be illegal to own a car without one. Besides real time monitoring of traffic conditions, authorities will be able to integrate all kinds of services, such as traffic tickets, licensing and annual taxes, automatic toll charge, and much more. Benefits also include more security, since the system will make it harder for thieves to run far away with stolen vehicles, much less leave the country with one.”

From Patrick Radden Keefe, in the New Yorker: “The serialized revelations that have unfolded since Friday—when Petraeus, who left the military as a four-star general, resigned from the C.I.A. because of an affair—are, to say the least, honeyed with irony. In the decade following September 11, 2001, the national-security establishment in this country devised a surveillance apparatus of genuinely diabolical creativity—a cross-hatch of legal and technical innovations that (in theory, at any rate) could furnish law enforcement and intelligence with a high-definition early-warning system on potential terror events. What it’s delivered, instead, is the tawdry, dismaying, and wildly entertaining spectacle that ensues when the national-security establishment inadvertently turns that surveillance apparatus on itself.”

In a blog post, Google senior policy analyst Dorothy Chou says, ‘ [G]overnment demands for user data have increased steadily since we first launched the Transparency Report.’ In the first half of 2012, the period covered in the report, Chou says there were 20,938 inquiries from government organizations for information about 34,614 Google-related accounts. Google has a long history of pushing back against governmental demands for data, going back at least to its refusal to turn over search data to the Department of Justice in 2005. Many other companies have chosen to cooperate with government requests rather than question or oppose them, but Chou notes that in the past year, companies like Dropbox, LinkedIn, Sonic.net and Twitter have begun making government information requests public, to inform the discussion about Internet freedom and its limits. According to the report, the U.S. continues to make the most requests for user data, 7,969 in the first six months of the year. Google complied with 90% of these requests. Google’s average compliance rate for the 31 countries listed in the report is about 47%.

In recent years, a handful of privacy activists — led by the A.C.L.U., the Electronic Frontier Foundation, the Electronic Privacy Information Center, and the Center for Democracy & Technology — have filed lawsuits and requested official documents in an effort to reveal and challenge the government’s vast surveillance powers. For the most part, they have not succeeded in changing things; the Petraeus scandal appears to show just how much surveillance the F.B.I. and other law enforcement agencies can conduct without a judge or a company telling them “no, you can’t have that.”

…

There’s a particularly cruel irony in all of this: If you contact your cell-phone carrier or Internet service provider or a data broker and ask to be provided with the information on you that they provide to the government and other companies, most of them will refuse or make you jump through Defcon levels of hops, skips, and clicks. Uncle Sam or Experian can easily access data that shows where you have been, whom you have called, what you have written, and what you have bought — but you do not have the same privileges.

Ms. Broadwell apparently attempted to shield her identity by using anonymous email accounts. However, it appears that her efforts were thwarted by sloppy operational security and the data retention practices of the companies to whom she entrusted her private data.

The New York Times reported that “[b]ecause the sender’s account had been registered anonymously, investigators had to use forensic techniques—including a check of what other e-mail accounts had been accessed from the same computer address—to identify who was writing the e-mails.”

“Robust tools for privacy and anonymity exist, but they are not integrated in a way that makes them easy to use,” Mr. Blaze warned. “We’ve all made the mistake of accidentally hitting ‘Reply All.’ Well, if you’re trying to hide your e-mails or account or I.P. address, there are a thousand other mistakes you can make.”

In the end, Mr. Kaminsky noted, if the F.B.I. is after your e-mails, it will find a way to read them. In that case, any attempt to stand in its way may just lull you into a false sense of security.

Some people think that if something is difficult to do, “it has security benefits, but that’s all fake — everything is logged,” said Mr. Kaminsky. “The reality is if you don’t want something to show up on the front page of The New York Times, then don’t say it.”

“Denied the right to travel without consent from their male guardians and banned from driving, women in Saudi Arabia are now monitored by an electronic system that tracks any cross-border movements. Since last week, Saudi women’s male guardians began receiving text messages on their phones informing them when women under their custody leave the country, even if they are travelling together. ‘The authorities are using technology to monitor women,’ said columnist Badriya al-Bishr, who criticised the ‘state of slavery under which women are held’ in the ultra-conservative kingdom. Women are not allowed to leave the kingdom without permission from their male guardian, who must give his consent by signing what is known as the ‘yellow sheet’ at the airport or border.”

The imbroglio centers around a system called Palantir, which teases out connections from giant mounds of data, and visualizes those links in ways that even knuckle-draggers can understand. With its slick interface and its ability to find hidden relationships, Palantir has attracted a cult of fanboys in the military and intelligence communities not unlike the one Apple has amassed in the consumer gadget world.

The problem is the Army already has a $2.3 billion system that does what Palantir is supposed to do — plus several dozen more things, besides. The DCGS-A (“Distributed Common Ground System – Army”) is meant to be the one resource that Army intel analysts can use to find links between events, build dossiers on high-level targets, and plot out patterns in enemy attacks. Accessing 473 data sources for 75 million reports, it’s supposed to be the primary source for mining intelligence and surveillance data on the battlefield — everything from informants’ tips to satellites’ images to militants’ fingerprints.

But many in the military found DCGS-A too complicated, too hackable, and not nearly reliable enough. And the Palantir crowd, they just wouldn’t quit pushing for their favorite software, even though Palantir was something of a roach motel of intelligence data — once inside, it was hard to export information to other systems.

The International Telecommunications Union, a UN agency dominated by veterans of incumbent telcoms who mistrust the Internet, and representatives of repressive governments who want to control it, have quietly begun the standardization process for a kind of invasive network spying called “deep packet inspection” (DPI). Other standards bodies have shied away from standardizing surveillance technology, but the ITU just dived in with both feet, and proposed a standard that includes not only garden-variety spying, but also spying “in case of a local availability of the used encryption key(s)” — a situation that includes the kind of spying Iran’s government is suspected of engaging in, when an Iranian hacker stole signing keys from the Dutch certificate authority DigiNotar, allowing for silent interception of Facebook and Gmail traffic by Iranian dissidents.

Antivirus pioneer John McAfee, who recently fled from Belize after his neighbour was shot dead, supposedly used disguises to outwit his pursuers. Could technology have spotted what humans failed to see?

Stick on a fake moustache. Add some glasses. Dye your hair. And perhaps pop on a hat. If you are a man – or woman – on the run in the movies then this kind of low-tech disguise is all that is needed to evade the authorities.

But, in a case of life imitating art, a similar array of tactics seems to have met with some success in the real world.

One of the more bizarre news stories of recent weeks concerns John McAfee, founder of the eponymous anti-virus software company, going on the run from the Belize police. According to his blog, McAfee disguised himself by colouring his hair and beard grey, darkening his face with shoe polish, padding his cheeks with bubble gum and stuffing his right nostril to give it – in McAfee’s own words, “an awkward, lopsided, disgusting appearance”.

he Wall Street Journal reported today that the little-known National Counterterrorism Center, based in an unmarked building in McLean, Va., has been granted sweeping new authority to store and monitor massive datasets about innocent Americans.

After internal wrangling over privacy and civil liberties issues, the Justice Department reportedly signed off on controversial new guidelines earlier this year. The guidelines allow the NCTC, for the first time, to keep data about innocent U.S. citizens for up to five years, using “predictive pattern-matching,” to analyze it for suspicious patterns of behavior. The data the counterterrorism center has access to, according to the Journal, includes “entire government databases—flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and many others.”

Notably, the Journal reports that these changes also allow databases about U.S. civilians to be handed over to foreign governments for analysis, presumably so that they too can attempt to determine future criminal actions. The Department of Homeland Security’s former chief privacy officer said that it represents a “sea change in the way that the government interacts with the general public.”

(Reuters) – A public school district in Texas can require students to wear locator chips when they are on school property, a federal judge ruled on Tuesday in a case raising technology-driven privacy concerns among liberal and conservative groups alike.

The FBI calls it a “sensitive investigative technique” that it wants to keep secret. But newly released documents that shed light on the bureau’s use of a controversial cellphone tracking technology called the “Stingray” have prompted fresh questions over the legality of the spy tool.

Functioning as a so-called “cell-site simulator,” the Stingray is a sophisticated portable surveillance device. The equipment is designed to send out a powerful signal that covertly dupes phones within a specific area into hopping onto a fake network. The feds say they use them to target specific groups or individuals and help track the movements of suspects in real time, not to intercept communications. But by design Stingrays, sometimes called “IMSI catchers,” collaterally gather data from innocent bystanders’ phones and can interrupt phone users’ service—which critics say violates a federal communications law.

The FBI has maintained that its legal footing here is firm. Now, though, internal documents obtained by the Electronic Privacy Information Center, a civil liberties group, reveal the bureau appears well aware its use of the snooping gear is in dubious territory. Two heavily redacted sets of files released last month show internal Justice Department guidance that relates to the use of the cell tracking equipment, with repeated references to a crucial section of the Communications Act which outlines how “interference” with communication signals is prohibited.

There is one thing that binds the phrases “kinky cinema,” “hired killer,” and “throwing eggs.” If you type any one of them into a special eavesdropping-enabled version of Skype used in China, you could find yourself under surveillance.

That’s according to a research project by Jeffrey Knockel, a computer-science graduate student at the University of New Mexico, Albuquerque. As Bloomberg Businessweek reported today, Knockel recently found a way to bypass encryption used by a version of Skype designed specifically for Chinese users, and in doing so uncovered secret keyword lists used in China to monitor Skype users’ communications.

According to the 27-year-old researcher, the software has a built-in surveillance blacklist that scans messages sent between users for specific words and phrases. If a user types one of the offending phrases into the Skype text chat, it triggers an alert—sending a copy back to a centralized computer server and flagging who sent the message and when.

Harvard University central administrators secretly searched the e-mail accounts of 16 resident deans last fall, looking for a leak to the media about the school’s sprawling cheating case, according to several Harvard officials interviewed by the Globe.

The resident deans sit on Harvard’s Administrative Board, the committee charged with handling the cheating case. They were not warned that administrators planned to access their accounts, and only one was told of the search shortly afterward.

The dean who was informed had forwarded a confidential Administrative Board message to a student he was advising, not realizing it would ultimately make its way to the Harvard Crimson and the Globe and fuel the campus controversy over the cheating scandal.

In a series of interviews with USAToday, Facebook has finally revealed how it tracks users and non-users across the web, gathering huge amount of data as it does so. Says ABCNews/USAToday:

Facebook officials are now acknowledging that the social media giant has been able to create a running log of the web pages that each of its 800 million or so members has visited during the previous 90 days. Facebook also keeps close track of where millions more non-members of the social network go on the Web, after they visit a Facebook web page for any reason.

Sure, we can take measures to prevent this. We can limit what we search on Google from our iPhones, and instead use computer web browsers that allow us to delete cookies. We can use an alias on Facebook. We can turn our cell phones off and spend cash. But increasingly, none of it matters.

There are simply too many ways to be tracked. The Internet, e-mail, cell phones, web browsers, social networking sites, search engines: these have become necessities, and it’s fanciful to expect people to simply refuse to use them just because they don’t like the spying, especially since the full extent of such spying is deliberately hidden from us and there are few alternatives being marketed by companies that don’t spy.

This isn’t something the free market can fix. We consumers have no choice in the matter. All the major companies that provide us with Internet services are interested in tracking us. Visit a website and it will almost certainly know who you are; there are lots of ways to be tracked without cookies. Cellphone companies routinely undo the web’s privacy protection. One experiment at Carnegie Mellon took real-time videos of students on campus and was able to identify one-third of them by comparing their photos with publicly available tagged Facebook photos.

(Reuters) – The Obama administration is drawing up plans to give all U.S. spy agencies full access to a massive database that contains financial data on American citizens and others who bank in the country, according to a Treasury Department document seen by Reuters.

Another critical aspect of CALEA deals with encrypted messaging, mainly that it is exempt from all wireless surveillance. Soghoian explained that communications, “encrypted with a key not known to the company […] cannot be intercepted.” So in a situation where the decryption keys are handled on the device, and not by whomever is delivering the messages, then law enforcement must ignore the message entirely.

This issue was mentioned in the DEA report, quoted by CNet: “iMessages between two Apple devices are considered encrypted communication and cannot be intercepted, regardless of the cell phone service provider.” However, the report notes that depending on where the intercept is placed, messages sent to other phones can be read. This is likely because those communications are not encrypted, and are therefore visible to law enforcement under CALEA.

With this fuller history, Lapsley lays out the foundations of the systems we live in now. Not the specific tools we use, which are rotating into obsolescence in an accelerating blur, but the systems our tools are embedded within, and our notions of security, freedom, criminality, privacy. During the years that AT&T was struggling to invent a new phone technology, they also forged new legal justifications for surveilling users and prosecuting hackers. By definition, they had no idea who was hiding from their billing system, so they set up a blanket surveillance program which tapped around 33 million phone calls between 1964 and 1970, recording more than a million and a half of them for further analysis. AT&T kept this program — code named Greenstar — a closely guarded secret, because they were pretty sure it was illegal, and they certainly didn’t want a court to confirm their suspicions. But this massive wiretapping program gave them a good idea who was defrauding their system, and it pointed them towards evidence that they could use in court. (In 1968, AT&T helped advise Congress on new legislation that made the Greenstar wiretapping retroactively legal. So that was one problem taken care of.)

…

Phone phreaks talked about getting busted by the phone company in a way that would sound silly if we were talking about AT&T or Google today. And it is indeed strange to think of Ma Bell’s quasi-governmental security force: hard-boiled guys in trench coats staking out phone booths, waiting for a hippie to toot a toy or beep a box. But part of the reason this seems strange is because corporations don’t really need the guys in trench coats anymore. The mechanisms of state and corporate surveillance are now completely embedded in our daily lives.

“There’s no expectation of privacy when you go into a mall,” retorts one shopper-monitoring executive. A better answer is that retailers like American Apparel are analysing groups, not identifying individuals. Cameras set up to do anything fancier than traffic-counting are confined to a few test stores. Mobile-phone trackers identify phones, not their owners, says Will Smith of Euclid Analytics. Still, Euclid recommends telling customers that tracking is going on. “Companies that succeed in this space are companies that address privacy correctly,” he says.

The IRS has quietly upgraded its technology so tax collectors can track virtually everything people do online.

The Internal Revenue Service is collecting a lot more than taxes this year — it’s also acquiring a huge volume of personal information on taxpayers’ digital activities, from eBay auctions to Facebook posts and, for the first time ever, credit card and e-payment transaction records, as it expands its search for tax cheats to places it’s never gone before.

“According to a lawyer at a telecoms company and the retired boss of a large telecoms group operating in the United States, telecoms companies have long been required to employ technicians with security clearances who assist in government surveillance, but are not allowed to disclose their activities to their uncleared bosses. The same request may, perhaps, have been extended to web firms.”

“America’s energetic snooping is part of a broader global trend. Each year authorities in South Korea make more than 37m requests to see communications data stored about the country’s 50m people (police in Britain make about 500,000). New laws in Kenya let the government snoop on suspects indefinitely once an application is approved. India is considering a plan to route communications through government equipment, helping it to eavesdrop without alerting service providers. A report presented on June 4th by Frank La Rue, the UN’s special rapporteur on free expression, warned that broad interpretations of outdated laws were enabling sophisticated and invasive surveillance measures to flourish around the world. He called for governments to draw up new regulations that properly acknowledge the growing power of modern spying equipment.”

“This week’s revelations have made it clearer to the public that Canada, like other governments, is voraciously scouring the globe for telecommunications data trails – phone logs, Internet protocols and other “routing” information.”

“I am completely independent and operate at arms-length from the government. I have all the powers of a Commissioner under Part II of the Inquiries Act, including the power of subpoena, to access and review any information held by CSEC. We have secure offices on-site at CSEC. My employees have unobstructed access to CSEC systems, observe CSEC analysts first hand to verify how they conduct their work, interview them, and test information obtained against the contents of CSEC’s databases.

…

I verify that CSEC does not direct its foreign signals intelligence collection and IT security activities at Canadians — wherever they might be in the world — or at any person in Canada. CSEC is prohibited from requesting an international partner to undertake activities that CSEC itself is legally prohibited from conducting.

…

In the case of metadata, I verify that it is collected and used by CSEC only for purposes of providing intelligence on foreign entities located outside Canada and to protect information infrastructures of importance to the government.

…

At the time the new legislation was passed, CSE told us all in no uncertain terms that the ability to follow a foreign-intelligence-related communication into Canada was vital to the agency’s ability to function effectively in the modern world. For some reason the Commissioner seems to want to leave the impression that this only happens “unintentionally”.

Similarly, the Commissioner’s statement affirms that “CSEC is prohibited from requesting an international partner to undertake activities that CSEC itself is legally prohibited from conducting”, but it skips past the vital question of how often those partners may nonetheless supply information that CSE would not itself be permitted to collect.”

“Liberal MP Wayne Easter, who was minister responsible for the spy agency CSIS in 2002-03, told the Star that in the post-9/11 era a decade ago it was common for Canada’s allies to pass on information about Canadians that they were authorized to gather but Ottawa wasn’t.

The practice was, in effect, a back-door way for sensitive national security information to be shared, not with the government, but Communications Security Establishment Canada (CSEC) and, if necessary, the Canadian Security Intelligence Service (CSIS).”

In fact, the little-known Communications Security Establishment Canada is specifically mandated to intercept telephone or Internet communications involving Canadians — as long as it does so in an effort to gather foreign intelligence.

…

As former Liberal solicitor-general Wayne Easter told my colleague Tonda MacCharles, during his time in government the NSA routinely passed on information about Canadians to Canada — through either CSEC itself or the Canadian Security Intelligence Service or the RCMP.”

“In fact, such data are undoubtedly also collected to help determine the identities (or at least the communications addresses) of the people in Canada that CSE’s foreign intelligence targets are communicating with. The person at the Canadian end of the conversation would not be the “target” in such cases, but CSE would still want to monitor both ends of the communication in order to find out what the foreign target at the other end of the conversation was up to.

If the Canadian participant turned out to also be of intelligence interest, CSE would then pass that information to CSIS, the RCMP, or another relevant agency, which if it agreed would then obtain authorization to monitor the Canadian under its own legal procedures. That authorization, in turn, would clear the way for CSE to conduct further monitoring of the Canadian in fulfillment of Part C of its mandate.”

“The NSA’s enormous new $1.2-billion complex in Utah will be able to handle and process five zettabytes of data, which former NSA technical director (and now whistleblower William Binney) estimates to be on the order of 100 years worth of all of the world’s communications.

…

In 2010, German Green Party politician Malte Spitz and Germany’s Die Zeit newspaper requested all of the metadata from Mr. Spitz’s phone carrier, Deutsch Telekom. The company sent back a CD containing 35,830 lines of code. “Seen individually, the pieces of data are mostly inconsequential and harmless,” wrote Die Zeit, “[but] taken together, they provide what investigators call a profile – a clear picture of a person’s habits and preferences, and indeed, of his or her life.”

Access to metadata, when combined with powerful computers and algorithms, can also allow entire social networks to be mapped in space and time with a degree of precision that is extraordinarily unprecedented, and extraordinarily powerful. Once analyzed, metadata can pinpoint not only who you are, but with whom you meet, with what frequency and duration, and at which locations. And it’s now big business for that very reason. A growing complex of top secret data analysis companies orbit the law enforcement, military, and intelligence communities offering Big Data analysis, further driving the need for yet more data.”

“As part of ongoing collaborations with the Communications Security Establishment (CSE), we are applying unsupervised and semi-supervised learning methods to understand transactions on large dynamic networks, such as telephone and email networks. When viewed as a graph, the nodes correspond to individuals that send or receive messages, and edges correspond to the messages themselves. The graphs we address can be observed in real-time, include from hundreds to hundreds of thousands of nodes, and feature thousands to millions of transactions. There are two goals associated with this project: firstly, there is the semi-supervised learning task, and rare-target problem, in which we wish to identify certain types of nodes; secondly, there is the unsupervised learning task of detecting anomalous messages.”

“Canada has similar disclosure provisions as those found in the USA Patriot Act. For example, s. 21 of the Canadian Security Intelligence Act provides for a warrant that permits almost any type of communication interception, surveillance or disclosure of records for purpose of national security. To obtain such a warrant, the Director of the CSIS or a designate of the Solicitor General is required to file an application with a Federal Court judge. The application must contain an affidavit stating “the facts relied on to justify the belief, on reasonable grounds, that a warrant… is required”. The application must also outline why other investigative techniques are inappropriate. The warrant will typically last 60 days and is renewable on application. Section 21 orders could presumably also be applied to U.S. companies operating in Canada.

The section 21 warrant is arguably similar to a section 215 application made to the FISA Court. Both do not require probable cause and both can be used to obtain any type of records or any other tangible thing. Moreover, the target of both warrants need not be the target of the national security investigation.”

Q: Glenn Greenwald follow up: When you say “someone at NSA still has the content of your communications” – what do you mean? Do you mean they have a record of it, or the actual content?

A: Both. If I target for example an email address, for example under FAA 702, and that email address sent something to you, Joe America, the analyst gets it. All of it. IPs, raw data, content, headers, attachments, everything. And it gets saved for a very long time – and can be extended further with waivers rather than warrants.

The Guardian has published information from another Edward Snowden leak, this one detailing a British wiretapping program by the UK spy agency GCHQ that puts Prism to shame. The GCHQ program, called Tempora, stores all submarine cable traffic and all domestic traffic (Internet packets and recordings of phone-calls) for 30 days, using NSA tools to sort and search it; the quid-pro-quo being that the NSA gets to access this data, too. The program is reportedly staffed by 300 GCHQ spies and 250 NSA spies, and the data produced by the taps is made available to 850,000 NSA employees and contractors. This is all carried out under the rubric of RIPA, the controversial Regulation of Investigatory Powers Act, a UK electronic spying law passed by Tony Blair’s Labour government.

MAINWAY, which collects the telephone metadata of people in the United States. The collected data reportedly include “phone numbers dialed and length of call but not call content, caller identity or location information”. According to the U.S. government the data may be “queried” only when there is “reasonable suspicion” that “an identifier is associated with specific foreign terrorist organizations”. The government statement does not specify whether the data are also subjected to computerized network analysis in order to help determine “identifiers” that may be associated with those organizations.

MARINA, which collects internet metadata. According to the Washington Post, “MARINA and the collection tools that feed it are probably the least known of the NSA’s domestic operations, even among experts who follow the subject closely. Yet they probably capture information about more American citizens than any other, because the volume of e-mail, chats and other Internet communications far exceeds the volume of standard telephone calls. The NSA calls Internet metadata ‘digital network information.’ Sophisticated analysis of those records can reveal unknown associates of known terrorism suspects.”

NUCLEON, which intercepts the content of telephone calls. This program reportedly works on a much smaller scale than the first two. It probably only captures the telephone calls of specific individuals who have already been identified as suspects in on-going investigations.

PRISM, which accesses internet content (e-mail, chat texts, search histories, Skype data, data stored in “the cloud”, etc.) contained in the data stored by major internet services such as Google and Facebook. These data are reportedly also accessed only with respect to specific individuals or perhaps groups of individuals or organizations.

Italy is the most wiretapped Western democracy, with transcripts of telephone intercepts of politicians and criminals routinely splashed on front pages. Just this weekend, the phone intercepts of a top Vatican accountant arrested in a 20 million euro ($26.2 million) corruption plot were published in major Italian newspapers.

Security in TibetGrid locked
With the help of experts from Beijing, Tibet tightens its systems of surveillance

…

It was launched in April 2012 in Lhasa’s Chengguan district, where Mr Zhi has been serving as deputy party chief. Officials call it the “grid system of social management”. One of its main aims is to make it easier for officials to monitor potential troublemakers by using intelligence gathered by community workers within areas known as grids (wangge in Mandarin). Chengguan, which includes most of the city proper and some of the rural area around it, has been divided into 175 of them. The grids’ small size (every Lhasa neighbourhood now has several) is intended to facilitate the gathering of detailed, real-time information.

Why bother? Lhasa is already crawling with security personnel and festooned with surveillance cameras. Even before the grid system any Tibetan who raised a protest banner would be leapt on within seconds and taken away (though few such attempts have been reported since security was increased after riots in 2008). But, mostly in the last two years, Tibetan protesters have taken to setting themselves on fire, which has made the authorities even edgier. Only two of about 120 of these acts have occurred in Lhasa but the capital’s religious importance to Tibetans makes any dissent there particularly potent.

…

In both cities grid staff are helped by patrols of volunteers wearing red armbands: usually retired people whose role as local snoops long predates the introduction of grids. Human Rights Watch says that in Lhasa these patrols have become more intrusive with the recent immolations, searching homes for pictures of the Dalai Lama and other signs of dissent. Along with the rollout of grids, the Tibetan authorities have been organising households into groups of five or ten. A leader is appointed who becomes a point of contact for grid officials or police wanting information about members of the group. In May Tibet’s party chief Chen Quanguo said these groups should be the “basic unit” of the system, “ensuring…no blind spots”.

In the meantime technology can serve the powerful, too. Protesters in Turkey and Brazil say their mobile internet access was throttled, though congestion, not censorship, may be the real culprit. Instructions issued over social networks are easily monitored by police. Amateur footage provides authorities with visual records of those who attend. Witness, an American charity which trains citizen journalists, says that where official snooping is a danger, protesters should be filmed only from behind; last July YouTube, an online video site, introduced a face-blurring tool.

Most protesters are not so careful, and police are getting better at capturing this information themselves. Since 2011 cops in Brazil have tried head-mounted face-detection cameras, which authorities claim can capture up to 400 faces a second. Hoisting them on cheap drones would offer an even better view. Police forces can also recognise demonstrators without actually seeing them: some officers in America have kit capable of recording the identifying code of all the mobile phones within a given area, and officials can also beg or seize the data from mobile operators.

You’ve never heard of XKeyscore, but it definitely knows you. The National Security Agency’s top-secret program essentially makes available everything you’ve ever done on the Internet — browsing history, searches, content of your emails, online chats, even your metadata — all at the tap of the keyboard.

The Guardian exposed the program on Wednesday in a follow-up piece to its groundbreaking report on the NSA’s surveillance practices. Shortly after publication, Edward Snowden, a 29-year-old former Booz Allen Hamilton employee who worked for the NSA for four years, came forward as the source.

This latest revelation comes from XKeyscore training materials, which Snowden also provided to The Guardian. The NSA sums up the program best: XKeyscore is its “widest reaching” system for developing intelligence from the Internet.

“No laws define the limits of the N.S.A.’s power. No Congressional committee subjects the agency’s budget to a systematic, informed and skeptical review. With unknown billions of Federal dollars, the agency purchases the most sophisticated communications and computer equipment in the world. But truly to comprehend the growing reach of this formidable organization, it is necessary to recall once again how the computers that power the N.S.A. are also gradually changing lives of Americans – the way they bank, obtain benefits from the Government and communicate with family and friends. Every day, in almost every area of culture and commerce, systems and procedures are being adopted by private companies and organizations as well as by the nation’s security leaders that make it easier for the N.S.A. to dominate American society should it ever decide such action is necessary.”

SPIEGEL has learned from internal NSA documents that the US intelligence agency has the capability of tapping user data from the iPhone, devices using Android as well as BlackBerry, a system previously believed to be highly secure.

Washington: When President Barack Obama travels abroad, his staff packs briefing books, gifts for foreign leaders and something more closely associated with camping than diplomacy: a tent.

Even when Obama travels to allied nations, aides quickly set up the security tent – which has opaque sides and noise-making devices inside – in a room near his hotel suite. When the president needs to read a classified document or have a sensitive conversation, he ducks into the tent to shield himself from secret video cameras and listening devices.

The National Security Agency is gathering nearly 5 billion records a day on the whereabouts of cellphones around the world, according to top-secret documents and interviews with U.S. intelligence officials, enabling the agency to track the movements of individuals — and map their relationships — in ways that would have been previously unimaginable.

The records feed a vast database that stores information about the locations of at least hundreds of millions of devices, according to the officials and the documents, which were provided by former NSA contractor Edward Snowden. New projects created to analyze that data have provided the intelligence community with what amounts to a mass surveillance tool.

For the moment, companies are treading carefully. Google has banned the use of face-recognition in apps on Glass and its camera is designed to film only in short bursts. Japanese digital camera-makers ensure their products emit a shutter sound every time a picture is taken. Existing laws to control stalking or harassment can be extended to deal with peeping drones.

SIR – Your briefing on ubiquitous cameras claimed that “life logging” will have “much to recommend it” because the “potentially endless” re-examination of the life-logger’s experience will “reveal opportunities to be healthier, happier and more effective” (“The people’s panopticon”, November 16th). However, since everything in the life-logger’s life is recorded, that record will presumably include recordings of the examination of prior recordings, then recordings of the examinations of those recordings, and so on. A point will soon be reached where the life being logged consists of nothing but commentary on commentary.

Samuel Beckett’s one-act play, “Krapp’s Last Tape”, features an aged man sitting before a tape recorder making tapes that are commentaries on prior tape recordings which are themselves commentaries. Technology moves on, but the message still holds: the endless re-examination of futility leads only to more futility, not meaning or effectiveness.

Not only is ubiquitous surveillance ineffective, it is extraordinarily costly. I don’t mean just the budgets, which will continue to skyrocket. Or the diplomatic costs, as country after country learns of our surveillance programs against their citizens. I’m also talking about the cost to our society. It breaks so much of what our society has built. It breaks our political systems, as Congress is unable to provide any meaningful oversight and citizens are kept in the dark about what government does. It breaks our legal systems, as laws are ignored or reinterpreted, and people are unable to challenge government actions in court. It breaks our commercial systems, as U.S. computer products and services are no longer trusted worldwide. It breaks our technical systems, as the very protocols of the Internet become untrusted. And it breaks our social systems; the loss of privacy, freedom, and liberty is much more damaging to our society than the occasional act of random violence.

The Yale Law Journal Online (YLJO) just published an article that I co-authored with Kevin Bankston (first workshopped at the Privacy Law Scholars Conference last year) entitled “Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones.” In it, we discuss the drastic reduction in the cost of tracking an individual’s location and show how technology has greatly reduced the barriers to performing surveillance. We estimate the hourly cost of location tracking techniques used in landmark Supreme Court cases Jones, Karo, and Knotts and use the opinions issued in those cases to propose an objective metric: if the cost of the surveillance using the new technique is an order of magnitude (ten times) less than the cost of the surveillance without using the new technique, then the new technique violates a reasonable expectation of privacy. For example, the graph above shows that tracking a suspect using a GPS device is 28 times cheaper than assigning officers to follow him.

What’s this mean for Canadians? When you go to the airport and flip open your phone to get your flight status, the government could have a record. When you check into your hotel and log on to the Internet, there’s another data point that could be collected. When you surf the Web at the local cafe hotspot, the spies could be watching. Even if you’re just going about your usual routine at your place of work, they may be following your communications trail.

Ingenious? Yes. Audacious? Yes. Unlawful? Time for the courts to decide. With regard to recent revelations, Canadian government officials have strenuously denied doing what is clearly described in this presentation. On 19 September 2013, CSEC chief John Forster was quoted by the Globe and Mail saying “CSEC does not direct its activities at Canadians and is prohibited by law from doing so.” In response to a lawsuit launched by the British Columbia Civil Liberties Association against the Government of Canada, CSEC admitted that there “may be circumstances in which incidental interception of private communications or information about Canadians will occur.” Only in Orwell-speak would what is contained in these presentations be described as “incidental” or “not directed at Canadians.” Then again, an Orwellian society is what we are in danger of becoming.

The revelations require an immediate response. They throw into sharp relief the obvious inadequacy of the existing “oversight” mechanism, which operates entirely within the security tent. They cast into doubt all government statements made about the limits of such programs. They raise the alarming prospect that Canada’s intelligence agencies may be routinely obtaining data on Canadian citizens from private companies – which includes revealing personal data – on the basis of a unilateral and highly dubious definition of “metadata” (the information sent by cellphones and mobile devices describing their location, numbers called and so on) as somehow not being “communications.” Such operations go well beyond invasions of privacy; the potential for the abuse of unchecked power contained here is practically limitless.

PUNTA CANA–Costin Raiu is a cautious man. He measures his words carefully and says exactly what he means, and is not given to hyperbole or exaggeration. Raiu is the driving force behind much of the intricate research into APTs and targeted attacks that Kaspersky Lab’s Global Research and Analysis Team has been doing for the last few years, and he has first-hand knowledge of the depth and breadth of the tactics that top-tier attackers are using.

So when Raiu says he conducts his online activities under the assumption that his movements are being monitored by government hackers, it is not meant as a scare tactic. It is a simple statement of fact.

“I operate under the principle that my computer is owned by at least three governments,” Raiu said during a presentation he gave to industry analysts at the company’s analyst summit here on Thursday.

The comment drew some chuckles from the audience, but Raiu was not joking. Security experts for years have been telling users–especially enterprise users–to assume that their network or PC is compromised. The reasoning is that if you assume you’re owned then you’ll be more cautious about what you do. It’s the technical equivalent of telling a child to behave as if his mother is watching everything he does. It doesn’t always work, but it can’t hurt.

Raiu and his fellow researchers around the world are obvious targets for highly skilled attackers of all stripes. They spend their days analyzing new attack techniques and working out methods for countering them. Intelligence agencies, APT groups and cybercrime gangs all would love to know what researchers know and how they get their information. Just about every researcher has a story about being attacked or compromised at some point. It’s an occupational hazard.

The NSA’s goal — in which it has been moderately successful — is to match images from disparate databases, including databases of intercepted videoconferences (in February 2014, another Snowden publication revealed that NSA partner GCHQ had intercepted millions of Yahoo video chat stills), images captured by airports of fliers, and hacked national identity card databases from other countries. According to the article, the NSA is trying to hack the national ID card databases of “Pakistan, Saudi Arabia and Iran.”

“It may be that by watching everywhere we go, by watching everything we do, by analysing every word we say, by waiting and passing judgment over every association we make and every person we love, that we could uncover a terrorist plot, or we could discover more criminals. But is that the kind of society we want to live in? That is the definition of a security state.”

“What last year’s revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default.” This has big implications for anyone using email, text, cloud computing – or Skype, or phones, to communicate in circumstances where they have a professional duty of confidentiality. “The work of journalism has become immeasurably harder. Journalists have to be particularly conscious about any sort of network signalling; any sort of connection; any sort of licence plate-reading device that they pass on their way to a meeting point; any place they use their credit card; any place they take their phone; any email contact they have with the source. Because that very first contact, before encrypted communications are established, is enough to give it all away.” To journalists, he would add “lawyers, doctors, investigators, possibly even accountants. Anyone who has an obligation to protect the privacy of their clients is facing a new and challenging world.”

In its fight against Chinese espionage and other cyberthreats, Canada’s electronic-intelligence agency intercepts citizens’ private messages without judicial warrants.

A 22-page “Operational Procedures for Cyber Defence” document obtained by The Globe speaks to just how Communications Security Establishment Canada (CSEC) can log, store and study volumes of electronic communications that touch government computer networks – including the “private communications” of Canadians not themselves thought to be hackers.

Full details about the tradeoffs involved in CSEC’s operations are known only to one outsider – Minster of National Defence Rob Nicholson, the official who approves such surveillance, and who is provided with statistics about its risks.

Surveillance starts in the home, where all Internet traffic in Singapore is filtered, a senior Defense Ministry official told me (commercial and business traffic is not screened, the official said). Traffic is monitored primarily for two sources of prohibited content: porn and racist invective. About 100 websites featuring sexual content are officially blocked. The list is a state secret, but it’s generally believed to include Playboy and Hustler magazine’s websites and others with sexually laden words in the title. (One Singaporean told me it’s easy to find porn — just look for the web addresses without any obviously sexual words in them.) All other sites, including foreign media, social networks, and blogs, are open to Singaporeans. But post a comment or an article that the law deems racially offensive or inflammatory, and the police may come to your door.

Singaporeans have been charged under the Sedition Act for making racist statements online, but officials are quick to point out that they don’t consider this censorship. Hateful speech threatens to tear the nation’s multiethnic social fabric and is therefore a national security threat, they say. After the 2012 arrest of two Chinese teenage boys, who police alleged had made racist comments on Facebook and Twitter about ethnic Malays, a senior police official explained to reporters: “The right to free speech does not extend to making remarks that incite racial and religious friction and conflict. The Internet may be a convenient medium to express one’s views, but members of the public should bear in mind that they are no less accountable for their actions online.”

Currently, there are 559 leaked company documents, and 15 location tracking reports from WikiLeaks Counter Intelligence Unit (WLCIU). The 559 files disclose to the public internal documents from more than 100 companies specialized in intelligence and (mass) surveillance technologies. These technologies are sold both to Western governments and to dictators, and have been used by the Syrian government. The 15 documents from WLCIU reveal the timestamps and locations of 20 members of these companies, whose whereabouts WikiLeaks has decided to track in order to show where the main surveillance contractors are sending its people. But what does the Spy Files database actually contain? Which are the most recurring intelligence companies and what systems do they target? How to download exactly the leaked document your research calls for? To answer these questions, we’ve decided to import WikiLeaks’s DB into Silk, to combine it with semantic technologies, a powerful query engine and a user-friendly interactive visualization interface.

Businesses and governments around the world increasingly are turning to voice biometrics, or voiceprints, to pay pensions, collect taxes, track criminals and replace passwords. “We sometimes call it the invisible biometric,” said Mike Goldgof, an executive at Madrid-based AGNITiO, one of about 10 leading companies in the field. Those companies have helped enter more than 65M voiceprints into corporate and government databases, according to Associated Press interviews with dozens of industry representatives and records requests in the United States, Europe and elsewhere. … The single largest implementation identified by the AP is in Turkey, where the mobile phone company Turkcell has taken the voice biometric data of some 10 million customers using technology provided by market leader Nuance Communications Inc. But government agencies are catching up.

It would seem that no matter how you configure Yosemite, Apple is listening. Keeping in mind that this is only what’s been discovered so far, and given what’s known to be going on, it’s not unthinkable that more is as well. Should users just sit back and accept this as the new normal? It will be interesting to see if these discoveries result in an outcry, or not.

Department of Justice officials say a couple in Northern California couple have been indicted on federal drug charges related to the Silk Road 2.0 “dark Web” drug market after agents traced their internet activity. Chico, CA residents David and Teri Schell, 54 and 59, respectively, are charged with conspiracy to manufacture and distribute marijuana and possession of pot with intent to distribute.

At 1:30pm on Christmas Eve, the NSA dumped a huge cache of documents on its website in response to a long-fought ACLU Freedom of Information Act request, including documents that reveal criminal wrongdoing.

The dump consists of its quarterly and annual reports to the President’s Intelligence Oversight Board from Q4/2001 to Q1/2013. They were heavily redacted prior to release, but even so, they reveal that the NSA illegally spied on Americans, including a parade of user-errors in which NSA operatives accidentally spied on themselves, raided their spouses’ data, and made self-serving errors in their interpretation of the rules under which they were allowed to gather and search data.

The National Security Agency today released reports on intelligence collection that may have violated the law or U.S. policy over more than a decade, including unauthorized surveillance of Americans’ overseas communications.

“Michael Geist reports that Canadian telecom and Internet providers have tried to convince the government that they will voluntarily build surveillance capabilities into their networks. Hoping to avoid legislative requirements, the providers argue that “the telecommunications market will soon shift to a point where interception capability will simply become a standard component of available equipment, and that technical changes in the way communications actually travel on communications networks will make it even easier to intercept communications.”

The National Security Agency’s Office of Target Pursuit (OTP) maintains a team of engineers dedicated to cracking the encrypted traffic of virtual private networks (VPNs) and has developed tools that could potentially uncloak the traffic in the majority of VPNs used to secure traffic passing over the Internet today, according to documents published this week by the German news magazine Der Speigel. A slide deck from a presentation by a member of OTP’s VPN Exploitation Team, dated September 13, 2010, details the process the NSA used at that time to attack VPNs—including tools with names drawn from Star Trek and other bits of popular culture.

Bruce Schneier has codified another lesson from the Sony Pictures hack: companies should know what data they can safely delete. He says, “One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. … Everything is now digital, and storage is cheap — why not save it all?

Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company. They published old documents. They published everything they got their hands on.”

Schneier recommends organizations immediately prepare a retention/deletion policy so in the likely event their security is breached, they can at least reduce the amount of harm done. What kind of retention policy does your organization enforce? Do you have any personal limits on storing old data?

The Drug Enforcement Administration has been collecting information about millions of people in the US with a semi-secret networks of automated license plate-readers. Its main purpose is for enabling law enforcement to take people’s money without charging them of any crime

According to the documents, the LEVITATION program can monitor downloads in several countries across Europe, the Middle East, North Africa, and North America. It is led by the Communications Security Establishment, or CSE, Canada’s equivalent of the NSA. (The Canadian agency was formerly known as “CSEC” until a recent name change.)

The latest disclosure sheds light on Canada’s broad existing surveillance capabilities at a time when the country’s government is pushing for a further expansion of security powers following attacks in Ottawa and Quebec last year.

“Every single thing that you do – in this case uploading/downloading files to these sites – that act is being archived, collected and analyzed,” Deibert said, after reviewing documents about the online spying operation for CBC News.

Samsung’s new SmartTV has a cool new voice-command feature, through which the Internet-connected device could record everything you say and transmit it to a third party, The Daily Beast writes.

The company’s voice-recognition software allows viewers to communicate with their television by talking to it. It is enabled when a microphone symbol appears. Basically, instead of using a traditional remote control to change the channel, people can simply ask their Samsung TV to change it for them by uttering a few words.

This is worrying people, largely because of a warning hidden deep inside its “privacy policy.” The Daily Beast first spotted this sentence, which reads:

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”

The Daily Beast makes the point that if peoples’ living room conversations are being recorded and passed on, privacy is being undermined. Homes are supposed to be places in which families and friends can talk about anything and everything.

Two years on, the difference is profound. In a single month, the N.S.A.’s invasive call-tracking program was declared unlawful by the courts and disowned by Congress. After a White House-appointed oversight board investigation found that this program had not stopped a single terrorist attack, even the president who once defended its propriety and criticized its disclosure has now ordered it terminated.

From the Snowden leaks, we know that the U.S. government is tapping into the backbones of our communications systems, servers, and transatlantic wires. It is sniffing wireless signals in cities and implementing broad online and telecoms data mining activities. But this is only the tip of the iceberg.

Wide-area surveillance tools are capable of recording high-resolution imagery of vast areas below them. Starting in 2004, the United States has deployed 65 Lockheed Martin blimps in Afghanistan that provide real-time video and audio surveillance across 100 square kilometers (just over 38 square miles) at a time. These Persistent Threat Detection Systems can record activity below them for periods of up to 30 days. Meanwhile on the ground, vast networks of cameras in our cities are being networked together in police databases and control centers, such as the NYPD Real-Time Crime Center, which processes data from over 6,000 surveillance cameras, as well as license plate readers which provide real-time tracking of vehicle movement.

…

And, of course, Silicon Valley is in the mix. A company called Planet Labs has recently deployed a network of 100 toaster-sized satellites that will take daily high-resolution images of everywhere on earth. The goal is to launch thousands—a persistent near-real-time surveillance tool, available to anyone online. They call these satellites Doves. A driverless Google car collects nearly 1 GB of data a second about the world around it, and the Internet of things is bringing data collection into our homes. A warning came with a recent Samsung smart TV about discussing “personal or other sensitive information” in its vicinity, as it could be transferred to a third party.

“And increasingly, such algorithms are used to kill. Russia guards five ballistic missile installations with armed one-ton robots, able to travel at speeds of 45 kilometers (about 28 miles) per hour, using radar and a laser range-finder to navigate, analyze potential targets, and fire machine guns without a human pulling the trigger. The Super Aegis 2 automated gun tower can lock onto a human target up to three kilometers (almost two miles) away in complete darkness and automatically fire a machine gun, rocket launcher, or surface-to-air missile. Unmanned aerial vehicles, ranging from autonomous bombers to insect-sized swarm drones, are increasingly able to collect and process data and kill on their own.”

The largest carriers in the world partner with companies like SAP to package up data on your movements, social graph and wake/sleep patterns and sell it to marketing firms.

Sometimes, the carriers are the data-brokers: Verizon’s acquisitions of AOL and Millennial Media means that the company now warehouses mobile phone usage data, ad network data, and has its own analytics firm in-house.

The data from carriers is merged with data from other sources, tying cellular-derived activities to shopping, credit scores, home ownership and other databases. The carriers also disclose home addresses and other private information to brokers, who use it to confirm their own records about who lives where, and with whom.

In 2010, the UK spy agency MI5 drafted memos informing top UK officials that its dragnet surveillance programme was gathering more information than it could make sense of, and warning that its indiscriminate approach to surveillance could put Britons at risk when signals about dangerous terror attacks were swamped by the noise of meaningless blips from the general population.

The memos are part of the Snowden docs, and it was published today by The Intercept, along with analysis by Ryan Gallagher, who notes that security service whistleblowers have warned that lives were being put at risk by indiscriminate surveillance, which is a liability for intelligence analysis, but an asset for civil service empire-building, given the budgets, procurements, and staffing associated with such projects.

The memos follow on from a 2009 study of Preston, a warrant-based telephone call wire-tapping programme, which found that 97% of the 5,000,000 communications intercepted under Preston in a six-month period were never reviewed.

The week, the US CBP published a notice in the Federal Register proposing a change to the Form I-94 Arrival/Departure Record paperwork that visitors to the US fill out when they cross the border, in which they announce plans to ask travellers to “please enter information associated with your online presence.”

The form element will be optional, but of course, CBP screeners may subject travellers who decline to reveal their online names for additional scrutiny.

Visitors the USA are already photographed, fingerprinted, and interviewed.

Many countries have reciprocity policies through which they subject visitors to procedures that mirror those imposed by their own governments. For example, Brazil fingerprints Americans, because Americans fingerprint Brazilians; other visitors are not fingerprinted.

New Jersey public transit was forced to remove the bugs it had installed on its light rail system after a public outcry, but Baltimore’s buses and subways remain resolutely under audio surveillance, while in Oakland, the cops hid mics around bus-shelters near the courthouses to capture audio of defendants and their lawyers discussing their cases.

With special permission from the US attorney general, the nation’s top law enforcement official, the agents asked the email service provider to let them pry into the account: jacobscall@mail.com.

They discovered that the account had been created four months earlier, on 3 August, using internet access from a public library in Prince George’s County, Maryland. In the account registration, the user had identified himself as “Steven Jacobs,” having a residential address in Alexandria, Virginia. The account had been accessed half a dozen times from public libraries around Washington DC. There were no emails in the account except for test messages the person had sent to himself, and a reply from the Fraud Bureau in response to an inquiry he had made about an online company that sold fake IDs.

Earlier this year, companies like Silverpush were outed for sneaking ultrasonic communications channels into peoples’ devices, so that advertisers could covertly link different devices to a single user in order to build deeper, more complete surveillance profiles of them.

In an upcoming Black Hat London presentation, UCL security researcher Vasilios Mavroudis and colleagues will describe how these ultrasonic channels (which are being incorporated as a network channel in an increasing cloud of Internet of Things devices) can be exploited by attackers to spread malicious software throughout homes — they’ll demo an attack where “an attacker equipped with a simple beacon-emitting device (e.g., a smartphone) can walk into a Starbucks at peak hour and launch a profile-corruption attack against all customers currently taking advantage of uXDT-enabled apps.”

With more than 2,000 employees, the CSE’s chief mandate is intercepting, decoding and analyzing the electronic signals emanating from adversarial foreign nations and overseas threat actors. Much of the work takes place at the agency’s new $1.1-billion, 775,000-square-foot east Ottawa headquarters, a display of the importance government places on the service, which reports to the minister of national defence.

The raw eavesdropping data is turned into intelligence and shared with the federal cabinet, government departments and ECHELON, the signals intelligence surveillance program of Canada, the U.S., Britain, Australia and New Zealand, the so-called Five Eyes alliance. Their main preoccupation is counter-terrorism, though Russian expansionism is rekindling targeting not seen since the end of the Cold War.

The CSE also is responsible for government cyber defences. Federal computer systems are “probed” more than 100 million time a day by suspected malicious actors searching for vulnerabilities. And just over the horizon looms the added challenge of quantum computing, which is expected to cripple widely-used public key cryptography for securing government (and personal) information by 2026. The CSE has joined in a global research effort to find new cryptographic standards before then.

Though the CSE received no new powers under the 2015 Anti-terrorism Act (formerly Bill C-51), its mandate includes providing electronic spying assistance to other security agencies and law enforcement. Security intelligence experts suspect much of whatever assistance CSE renders is for the Canadian Security Intelligence Service, or CSIS, Canada’s human spy service. (CSIS funding is pegged at $593.9 million for 2016-17.)

The Federal Court of Canada has faulted Canada’s domestic spy agency for unlawfully retaining data and for not being truthful with judges who authorize its intelligence programs. Separately, the court also revealed that the spy agency no longer needs warrants to collect Canadians’ tax records.

All this has been exposed in a rare ruling about the growing scope of Canadian intelligence collection disclosed by the court on Thursday. At issue is how the federal domestic spy service has been pushing past its legal boundaries in the name of collecting data, in hopes of rounding out the holdings of a little-known Canadian intelligence facility dubbed the “operational data analysis centre.”

” Apple has acknowledged that its Icloud service is a weak link in its security model, because by design Apple can gain access to encrypted data stored in its customers’ accounts, which means that the company can be hacked, coerced or tricked into revealing otherwise secure customer data to law enforcement, spies and criminals.

So it’s alarming to learn that Iphones are designed to synch your call history — which includes calls placed over Skype, Whatsapp and Viber — to your Icloud account, even if you have turned this setting off. To make things worse, this synch operation is hidden from you: this data is not visible when you browse your Icloud account, but Apple still has it.

The discovery came from Russian security firm Elcomsoft, who make tools that help law-enforcement, private security and Apple customers gain access to data on Apple devices without the logins and passwords that are normally used to access this data. “

Mobile phones show where they are. According to Bruce Schneier, a cyber-security expert, the NSA uses this information to find out when people’s paths cross suspiciously often, which could indicate that they are meeting, even if they never speak on the line. The NSA traces American intelligence officers overseas and looks for phones that remain near them, possibly because they are being tailed. Location data can identify the owner of a disposable phone, known as a “burner”, because it travels around with a known phone.

The technical possibilities for obtaining information are now endless. Because photographs embed location data, they provide a log of where people have been. Touch ID is proof that someone is in a particular place at a particular time. Software can recognise faces, gaits and vehicles’ number plates. Commercially available devices can mimic mobile-phone base stations and intercept calls; more advanced models can alter texts, block calls or insert malware. In 2014 researchers reconstructed an audio signal from behind glass by measuring how sound waves were bouncing off a crisp packet. The plethora of wired devices in offices and houses, from smart meters to voice-activated controllers to the yet-to-be-useful intelligent refrigerator, all provide an “attack surface” for hacking—including by intelligence agencies. Britain’s government has banned the Apple Watch from cabinet meetings, fearing that it might be vulnerable to Russian hackers.

The agencies can also make use of the billows of “data exhaust” that people leave behind them as they go—including financial transactions, posts on social media and travel records. Some of this is open-source intelligence (known as OSINT), which the former head of the Bin Laden unit of the CIA has said provides “90% of what you need to know”. Private data can be obtained by warrant. Data sets are especially powerful in combination. Facial-recognition software linked to criminal records, say, could alert the authorities to a drug deal.

When Facebook implemented Open Whisper Systems’ end-to-end encrypted messaging protocol for Whatsapp, they introduced a critical flaw that exposes more than a billion users to stealthy decryption of their private messages: in Facebook’s implementation, the company can force Whatsapp installations to silently generate new cryptographic keys (without any way for the user to know about this unless a deep settings checkbox had been ticked), which gives the company the ability to decrypt user messages, including messages that have already been sent in the past..

That means that a government could order Facebook to stealthily decrypt Whatsapp traffic, despite the company’s claims that it can’t do this under any circumstances.

Facebook spokespeople and cryptographers say that Facebook’s decision to implement Open Whisper Systems’ end-to-end cryptographic messaging protocol in such a way as to allow Facebook to decrypt them later without the user’s knowledge reflects a “limitation” — a compromise that allows users to continue conversations as they move from device to device — and not a “defect.”

Cryptographic systems have to accommodate some means of “re-keying” a conversation when old keys are lost, expired, or disposed of. The Whatsapp version of Open Whisper Systems allows Facebook to force a re-keying and a re-send of stored messages without user intervention, something that normally happens when you install Whatsapp on a new device and sync messages from earlier devices.

Moxie Marlinspike, developer of the encryption protocol used by both Signal and WhatsApp, defended the way WhatsApp behaves.

“The fact that WhatsApp handles key changes is not a ‘backdoor,'” he wrote in a blog post. “It is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.”

He went on to say that, while it’s true that Signal, by default, requires a sender to manually verify keys and WhatsApp does not, both approaches have potential security and performance drawbacks. For instance, many users don’t understand how to go about verifying a new key and may turn off encryption altogether if it prevents their messages from going through or generates error messages that aren’t easy to understand. Security-conscious users, meanwhile, can enable security notifications and rely on a “safety number” to verify new keys. He continued:

“Notably, the partnership has included building software specifically to facilitate, augment, and accelerate the use of XKEYSCORE, one of the most expansive and potentially intrusive tools in the NSA’s arsenal. According to Snowden documents published by The Guardian in 2013, XKEYSCORE is by the NSA’s own admission its “widest reaching” program, capturing “nearly everything a typical user does on the internet.” A subsequent report by The Intercept showed that XKEYSCORE’s “collected communications not only include emails, chats, and web-browsing traffic, but also pictures, documents, voice calls, webcam photos, web searches, advertising analytics traffic, social media traffic, botnet traffic, logged keystrokes, computer network exploitation targeting, intercepted username and password pairs, file uploads to online services, Skype sessions, and more.” For the NSA and its global partners, XKEYSCORE makes all of this as searchable as a hotel reservation site.”

Green party politician Malte Spitz sued to have German telecoms giant Deutsche Telekom hand over six months of his phone data that he then made available to ZEIT ONLINE. We combined this geolocation data with information relating to his life as a politician, such as Twitter feeds, blog entries and websites, all of which is all freely available on the internet.

By pushing the play button, you will set off on a trip through Malte Spitz’s life. The speed controller allows you to adjust how fast you travel, the pause button will let you stop at interesting points. In addition, a calendar at the bottom shows when he was in a particular location and can be used to jump to a specific time period. Each column corresponds to one day.

The government claims the authority to search all electronic devices at the border, no matter your legal status in the country or whether they have any reason to suspect that you’ve committed a crime. You can state that you don’t consent to such a search, but unfortunately this likely won’t prevent CBP from taking your phone.

If you’ve given Customs and Border Protection agents the password to your device (or if you don’t have one), they might conduct what’s often called a “cursory search” on the spot. They might also download the full contents of your device and save a copy of your data. According to CBP policy from 2009, they are not required to return your device before you leave the airport or other port of entry, and they might choose to send it off for a more thorough “forensic” search. Barring “extenuating circumstances,” they claim the authority to hold onto your device for five days — though “extenuating circumstances” is an undefined term in this context, and this period can be extended by seven-day increments. We’ve received reports of phones being held for weeks or even months.

It’s important to start by breaking down President Trump’s initial claim: that Obama wiretapped him for political purposes. Nonsense. There is no evidence that Obama was directly involved, ordered a wiretap, or acted for political reasons. There isn’t even any evidence that a wiretap exists. (Trump is hiding behind his use of quotation marks in the tweet, but wiretap has a very technical, legal meaning). Getting to this point has taken up most of the air since the tweet. Let’s be done with that debate. On its face, absent other, increasingly unlikely evidence to the contrary, Trump’s initial tweet is balderdash.

But let’s be generous and assume that he meant that the government spied on him while he was a candidate. That almost certainly is true. Why? Because the government has surveilled virtually all Americans. We know it did because of the Snowden leaks, and because it has argued in court that no volume of surveillance violates a reasonable expectation of privacy when it comes to metadata. While one program—the telephone metadata dragnet—was technically ended (and in some ways codified) by the USA Freedom Act in 2015, another law is still on the books with virtually no limits.

Specifically, it’s Section 702 of the FISA Amendments Act of 2008, which allows collection of all information in the possession of American technology companies based on keywords (known in government parlance as selectors). This information can be in transit over the Internet’s backbone or in storage with companies like Google.

The primary limit on this authority is that “targets” for collection aren’t supposed to be Americans. Targets numbered about 94,000 in 2015, but, critically, can be groups of people and even foreign powers. A single person’s selectors —every cookie on a computer, every device’s MAC address, every email address, etc.— could number in the hundreds, if not thousands. Even a group like al-Qaida could well be considered a single target with hundreds of thousands of selectors (or more).

Section 702 allows the government to force American companies to hand over all information tied to those selectors. When the data is at rest (like an email you have but aren’t looking at right now), this collection is referred to as Prism; when the data is in motion (like Google sending your email to your computer), the data is picked up in real time off the backbone of the Internet. That information delivered to the government includes enormous amounts of Americans’ information. A Washington Post analysis of Snowden documents found that nine out of 10 accounts swept up under the government’s mass surveillance programs were not the targeted accounts, and that half of the accounts belonged to Americans. How many Americans? We have no idea. It’s been nearly a year since the intelligence community promised an official estimate of how many are affected by 702—but they still haven’t delivered.

“That means that your information can get caught up in an investigation because you called or emailed someone who the government thinks, without any judicial review, is somehow related to a foreign power — and even if you haven’t, the government is still literally forcing a company to search through every one of your communications routed through it, all without a warrant. And it happens not only for national security reasons, but also for purposes as nebulous as “foreign affairs.” The secret FISA Court is the only actor outside of the Executive Branch that exercises real oversight, and it only reviews the overall reasons for collection, the procedures the government will use to mask Americans’ information, and may narrow collection from a programmatic standpoint. They don’t check who exactly is on the list.”

Chile, Luxembourg, England and New Zealand have weakened protections of whistleblowers. And in Canada, a new anti-terrorism measure allows police officers to spy on journalists if they suspect that they are talking to criminals. In November, it was reported that at least six journalists had been spied on by the Quebec police. Weeks before, another reporter had his computer seized. In Montreal, a journalist had his mobile phone tapped by authorities.

Not long ago, it was routine for investigators to talk to reporters without fear of reprisal. Patrice Carrier, the investigator who reported Mainville’s meeting with the reporter to superiors, told the inquiry Friday that times have changed. What used to be considered “normal discussions” are now considered “leaks,” he said.

The inquiry heard last week that 37 officers were investigated as possible sources of the 2014 leak concerning the child’s death, but the leaker was never identified. Montreal police had been called in to investigate the fatal accident because the driver was a provincial police officer. The leak came as Crown prosecutors declined to charge the officer. The Justice Minister intervened following a public outcry, and the officer was charged with dangerous driving causing death in 2015.

Concern about leaks from within the Montreal police persisted, and in January 2016, the internal affairs unit crafted an investigation plan to root out the culprits.

The plan, filed as evidence at the inquiry, was named “Project Spy,” and it set the table for the police to track the cellphone of La Presse reporter Patrick Lagacé later that spring. The investigation was prompted by stories in La Presse about a briefcase stolen from a police commander’s car and about defective bulletproof vests that were hobbling the tactical squad.

I also don’t have a Gmail account, because I don’t want Google storing my e-mail. But my guess is that it has about half of my e-mail anyway, because so many people I correspond with have accounts. I can’t even avoid it by choosing not to write to gmail.com addresses, because I have no way of knowing if newperson@company.com is hosted at Gmail.

And again, many companies that track us do so in secret, without our knowledge and consent. And most of the time we can’t opt out. Sometimes it’s a company like Equifax that doesn’t answer to us in any way. Sometimes it’s a company like Facebook, which is effectively a monopoly because of its sheer size. And sometimes it’s our cell phone provider. All of them have decided to track us and not compete by offering consumers privacy. Sure, you can tell people not to have an e-mail account or cell phone, but that’s not a realistic option for most people living in 21st-century America.

This month, University of Washington researchers will present Exploring ADINT: Using Ad Targeting for Surveillance on a Budget — or — How Alice Can Buy Ads to Track Bob at the Workshop on Privacy in the Electronic Society in Dallas; the paper details a novel way that stalkers and other low-level criminals can accomplish state-grade surveillance on the cheap with targeted ad-purchases.

In the summer of 2011, a day after the ambush-style shooting death of Keith Brissett Jr., Peel Regional Police obtained a production order from a justice of the peace for a “tower dump” as part of the investigation.

The request permitted police to obtain subscriber data and call records of anyone who used their mobile devices near cell towers, in a location in Mississauga, just outside of Toronto. The immediate suspect was Sheldon Ranglin, who was believed to have shot Brissett to death in a revenge attack.

Ranglin was ultimately convicted of first-degree murder at trial nearly five years later, based on other evidence. None of the information turned over from the tower dump was put to the jury by the Crown. The many individuals who were not a target in the murder investigation yet had personal phone data turned over to the police were not notified of this fact because there is no legal requirement to do so. What happened to this information and with data that is obtained from any other tower dump production order is also unknown, because unlike traditional wiretap authorizations, reporting requirements are virtually non-existent.

Michael Moon, the defence lawyer who represented Ranglin, says tower dump requests are not unusual in Toronto-area murder investigations. “You can have thousands and thousands of people accessing the same tower,” says Moon, who heads Moon Rozier LPC in Brampton, Ont. Unless it uncovers information that may negatively impact a client, there is no reason for the defence to challenge these sweeping orders, he points out.

The Ranglin case is just one example of how police surveillance techniques have fundamentally changed as a result of new technologies. Instead of seeking court permission for traditional wiretaps, law enforcement will obtain orders to access an enormous volume of text messages or other mobile device data. Instead of listening to the wiretaps — or “wires” — police will utilize tower dumps or other devices, such as International Mobile Subscriber Identity — or IMSI — catchers, which impersonate actual cell towers and trick phones into attaching to them and disclosing phone log and location information.

Connections like these seem inexplicable if you assume Facebook only knows what you’ve told it about yourself. They’re less mysterious if you know about the other file Facebook keeps on you—one that you can’t see or control.

Having issued this warning, and having acknowledged that people in your address book may not necessarily want to be connected to you, Facebook will then do exactly what it warned you not to do. If you agree to share your contacts, every piece of contact data you possess will go to Facebook, and the network will then use it to try to search for connections between everyone you know, no matter how slightly—and you won’t see it happen.

…

That accumulation of contact data from hundreds of people means that Facebook probably knows every address you’ve ever lived at, every email address you’ve ever used, every landline and cell phone number you’ve ever been associated with, all of your nicknames, any social network profiles associated with you, all your former instant message accounts, and anything else someone might have added about you to their phone book.

Once it has gathered all of this information and determined the mode of transportation you’re currently taking, it can then begin to narrow down where you are. For flights, four algorithms begin to estimate the target’s location and narrows down the possibilities until its error rate hits zero.

If you’re driving, it can be even easier. The app knows the time zone you’re in based on the information your phone has provided to it. It then accesses information from your barometer and magnetometer and compares it to information from publicly available maps and weather reports. After that, it keeps track of the turns you make. With each turn, the possible locations whittle down until it pinpoints exactly where you are.